The State Department has confirmed a data breach affecting an unknown number of employees.
A spokesperson told TechCrunch that the breach affected “less than 1 percent” of unclassified employee inboxes. “We have not detected activity of concern in the Department’s classified email system.”
“We determined that certain employee personally identifiable information may have been exposed and those employees were notified,” the spokesperson said.
The department said an interagency investigation — including help from the private sector — is underway and declined to share further information.
Politico was first to report the incident, citing a notice on the department’s internal pages.
State is said to be using Microsoft’s Office 365 cloud-based email service for unclassified work.
It’s not known what’s to blame for the breach. A report published earlier this year by administration watchdog Government Accountability Office said that the State Department had only rolled out some form of two-factor authentication to 11 percent of required agency devices, despite a legal requirement to secure all accounts with higher privileges.
Ron Wyden, a Democratic U.S. Senator from Oregon, and several bipartisan colleagues, said in a letter last week that the department was “failing to meet federal cybersecurity standards” that could make it “significantly harder for foreign governments or criminals to access accounts.”
The Federal Cybersecurity Enhancement Act, signed into law in 2015, requires every agency to improve cybersecurity practices.
The law was introduced after a catastrophic data breach at the Office of Personnel Management months earlier, exposing over 21 million records of security-cleared government employees, including their biometrics.
It’s not known if the two are linked but the state of cybersecurity at State doesn’t look so good right now.