The U.S. State Department has again been hit by a cyber attack, and its employees’ personal identifiable information compromised. The Department has been repeatedly criticized for its lack of adequate cybersecurity measures.
“We determined that certain employees’ personally identifiable information (PII) may have been exposed,” a September 7 alert informed the agency’s workforce. “We have notified those employees.”
State Department action
A task force was immediately created to investigate the breach. It surmised that its classified networks remained secure, since the attack had targeted an unclassified email system. Before this incident, the agency was mandated to adopt cybersecurity practices, but only implemented measures on 11% of its devices.
Last year, the State Department’s Inspector General reported that 33% of U.S. diplomatic missions had failed to meet the most basic cybersecurity standards. The testers also found vulnerabilities in email accounts.
US Senate response
One week before the recent attack, a bipartisan US Senate letter penned to Secretary Pompeo said, “We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA.”
To get the latest cybersecurity news, sign up for IT Governance USA’s Daily Sentinel. The Daily Sentinel email is the ideal way for you and your colleagues to receive and share information about global breaches, regulations, security tips, products, services, special offers and the latest certifications in the IT GRC sphere.