Hillary Clinton’s efforts to move on from a damaging email controversy suffered their biggest setback yet on Wednesday with the release of an internal report finding she broke multiple government rules by using a private server rather than more secure official communication systems.

The 78-page investigation by the inspector general of the state department singled out several previously unknown breaches by Clinton while she was secretary of state, including the use of mobile devices to conduct official business without checking whether they posed a security risk.

Although the report is potentially less damaging than a separate investigation by the FBI into whether she broke federal laws, it poses a significant challenge to the Clinton campaign, which has recently slipped behind Donald Trump in opinion polling.

Trump has stepped up attacks on Clinton’s trustworthiness in recent days and is likely to seize on the report as Democrats wait nervously for the FBI decision on whether to bring charges against Clinton or any of her advisers.

House speaker Paul Ryan said: “No public official is above the law. Secretary Clinton’s actions were at best negligent and at worst harmful to our national security. The state department should work to ensure that all employees strictly comply with the law, and follow the IG’s recommendations to strengthen its record-keeping system.”

The Clinton campaign put a brave face on the inspector general’s report on Wednesday, pointing to sections that dealt with similar lapses in email security by previous office holders.

A spokesman for Clinton said the report showed that her email practices were “consistent” with those of past secretaries and senior officials.

A Clinton spokesman, Brian Fallon, said that the report showed problems with the state department’s electronic record-keeping systems “were longstanding” and emphasized that her use of a private email server “was known to officials within the department during her tenure”.

Fallon acknowledged that “steps ought to have been taken” to better maintain official records.

However, the full report, a copy of which was obtained by the Associated Press (AP), cites “longstanding, systemic weaknesses” related to the agency’s communications. These started before Clinton’s appointment as secretary of state, but her failures were singled out as more serious and were said to disregard various state department guidelines for avoiding cybersecurity risks.

The report also found that state department staff who raised the issue of Clinton’s email practices were effectively silenced. Two information resources managers went to their head of department in late 2010, it found. “In one meeting, one staff member raised concerns that information sent and received on Secretary Clinton’s account could contain federal records that needed to be preserved in order to satisfy federal record keeping requirements,” the report said.

But the staff member later recalled that the director said Clinton’s personal system had already been reviewed and approved by legal staff “and that the matter was not to be discussed any further”, the reported continued. Yet “as previously noted, OIG found no evidence that staff in the Office of the Legal Adviser reviewed or approved Secretary Clinton’s personal system.”

The other staff member who raised the issue said the director stated that the department’s mission is to “support the secretary and instructed the staff never to speak of the secretary’s personal email system again”.

Despite guidelines to the contrary, Clinton used mobile devices to conduct official business on her personal email account and private server. She never sought approval from senior information officers, who would have refused the request because of security risks, the audit said.



“By Secretary Clinton’s tenure, the department’s guidance was considerably more detailed and more sophisticated,” it concluded. “Secretary Clinton’s cybersecurity practices accordingly must be evaluated in light of these more comprehensive directives.”

Clinton’s private email server appears to have been a target for hackers. The IG report found that on 9 January 2011, a technical adviser retained by former president Bill Clinton said he had shut down the server because he thought there was “someone was trying to hack us and while they did not get in i didnt [sic] want to let them have the chance to”. There was another suspected attack later the same day. On 10 January, Clinton’s aide Huma Abedin told officials not to send her “anything sensitive” and said she could “explain more in person”.



The IG report states that on 13 May 2011, “two of Secretary Clinton’s immediate staff discussed via email the Secretary’s concern that someone was ‘hacking into her email’ after she received an email with a suspicious link”. It added: “However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department.”

Asked about the hacking claims on Wednesday, a state department official, who did not wish to be named, said: “There are no findings about the security of secretary Clinton’s email system. The hacking email that is referenced includes language to the effect that the hack was not successful. That’s just from the email that it cited. But beyond that there’s no finding one way or the other about the security.”

The official also told reporters: “I think it’s clear from the report that the department could have done a better job preserving emails and records of secretaries of state and their senior staff going back several administrations. And we also acknowledge the report’s finding that compliance with email and records management guidance has been inconsistent across several administrations.”

Asked for a straight answer as to whether Clinton did anything wrong, the official replied: “I think the IG report speaks for itself in that it found that leaving the department with her emails, secretary Clinton didn’t act in compliance with all the records policies in place. However, it also finds – and NARA has found – that she mitigated those problems and the department has mitigated those problems.

“With respect to whether secretary Clinton was allowed to use a personal email, the IG report finds that she did not seek approval and the department did not provide it. She has said that she wouldn’t make the same decision again, and the IG report notes that senior Department officials say that they wouldn’t have recommended it had she asked.”

Clinton has been dogged by questions about her email practices for more than a year, since the AP revealed that the clintonemail.com server was in the basement of her New York home while she served as the nation’s top diplomat from 2009-2013.

Though accepting it “highlighted challenges [it] and others are facing” the state department itself sought to downplay the independent report by its inspector general at a briefing in Washington.

“The policies regarding use of email have only really been clarified over the past several years. Many agencies are struggling with it,” spokesman Mark Toner told reporters at a daily press briefing.



“We do now have policies that would make it hard to set up alternative email. Clinton said she would not have made same choice again.”

He rejected suggestions, however, that the department was trying to “spin” the report, which will be officially published on Thursday.

“There’s not any effort to spin this. There’s not any effort to hide or obfuscate,” said Toner. “We acknowledge that we need to do a better job with our record keeping.”