State Department reveals data breach, employee information exposed

The data breach took place due to a compromised email system belonging to the department.
Written by Charlie Osborne, Contributing Writer

The US State Department has confirmed a data breach which has led to the exposure of employee data.

As reported by Politico, the personally identifiable information (PII) of some of the State Department's workforce has been exposed, however, the data breach is not thought to impact more than one percent of the staff roster.

"We have determined that certain employees' personally identifiable information (PII) may have been exposed," an alert states, dated September 7. "We have notified those employees."

The security notice was marked "Sensitive but Unclassified." No technical details of the security incident have been released to the public, nor who may be responsible.

According to the department, the impacted email system is considered unclassified, and there is no evidence to suggest other, classified email networks have also been compromised.

CNET: Equifax's data breach by the numbers: The full breakdown

The State Department says it is currently investigating the incident and is "working with partner agencies to conduct a full assessment" of the data breach.

"Like any large organization with a global presence, we are a constant target for cyberattacks," the State Department said. "This is a good opportunity to remind everyone that we all play an important role in protecting Department information, especially when it comes to the use of secure and safe passwords, and reporting suspicious activity."

See also: Hackers hijack surveillance camera footage with 'Peekaboo' zero-day vulnerability

Indeed it is, but it was only last week that the department was heavily criticized for poor security practices.

In a letter sent to Secretary of State Mike Pompeo, five US senators demanded to know why few basic security measures were in place to secure the department's systems, such as the use of multi-factor authentication (MFA). A report published by the General Service Administration (GSA) has suggested that only 11 percent of "high-value" devices used by the department had MFA enabled.

TechRepublic: Why 31% of data breaches lead to employees getting fired

The State Department says that steps "have been taken" to secure systems and employees involved in the data breach will be given three years of free credit monitoring.

The exposure of sensitive information belonging to federal employees is appalling but does not come close to the 2015 Office of Personnel Management (OPM) data breach, in which close to 22 million employee records were exposed in two separate attacks.

"We are working with the interagency, as well as the private sector service provider, to conduct a full assessment," a State Department official told the Washington Examiner. "The Department is always actively engaged in identifying cybersecurity threats and protecting its networks. This is an ongoing investigation. We have no additional information to share at this time."

Previous and related coverage

Editorial standards