This article is more than 2 years old

Only 11% of agency devices have had multi-factor authentication rolled out to them.

Well, this is embarrassing.

The US Department of State has confirmed that it has suffered a data breach which exposed the personally identifiable information of some employees.

News of the breach was first reported by Politico, who pointed out that the department has often been a target for state-sponsored hacks.

(Perhaps the most notable incident occurred in 2014 when attacked by Russian hackers, where an NSA Deputy Director described the battle for control over the State Department’s systems as virtually “hand-to-hand combat.”)

According to reports, the State Department detected “suspicious activity” against one of its email systems, exposing information about an undisclosed number of employees.

“The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes.”

Affected employees have been notified, and there has been no detection of suspicious activity related to the Department’s classified email system.

TechCrunch points out that earlier this year an analysis of federal cybersecurity measures determined that only 11% of the State Department’s devices are protected with some form of multi-factor authentication.

Google, for instance, recently underlined how successful their adoption of multi-factor authentication had been – noting that none of the technology giant’s 85,000 employees had been successfully phished on their work-related accounts since early 2017, when staff were given hardware security keys.

As five senators pointed out in a letter to Secretary of State Mike Pompeo, that is a breach of the Federal CyberSecurity Enhancement Act which requires all executive branch agencies to enable multi-factor authentications for all accounts with “elevated privileges”.

Multi-factor authentication is not a guarantee that an account cannot be hacked, but it does make it significantly harder for hackers to breach accounts and steal sensitive data.

You would like to think that the US Department of State would understand the importance of rolling out multi-factor authentication. After all, there’s been rather a lot in the news of late about how hackers from other countries might have an unhealthy interest in breaking into US government email accounts…

Read more about two-step verification:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.