State Department confirms Data Breach

POLITICO reported that the State Department suffered a data breach. According to reports, some employees had their personal information exposed by a breach of an unclassified email system.

TechCrunch is also reporting that a report published earlier this year by administration watchdog Government Accountability Office said that the State Department had only rolled out some form of two-factor authentication to 11 percent of required agency devices, despite a legal requirement to secure all accounts with higher privileges.

Gary McGraw, VP of Security Technology at Synopsys, said: "Sadly, many important departments in the US government continue to lag when it comes to computer security.  If the State Department has trouble rolling out two factor authentication to protect the majority of its users (something that many corporations have had in place for years), how can we expect other aspects of its operations to be secure?  This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector."

Sam Curry, chief security officer at Cybereason, added: "In the past, the State Department has turned down help from other agencies to help them identify problems and improve. There are a lot of reasons for this such as they don’t want national security agencies snooping through their networks, can’t afford any down time, etc. However, considering the immense target that the Department represents, it is not a very compelling case.

"One of the other challenges they face is the government procurement process. It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do and fundamentally this is likely a hack that led to a breach and not some type of insider issue. It’s no more or no less, and how it is handled, the context of it as an incident, the PII exposed, the response and the future readiness by the State Department and other agencies is what matters."