Watchdog Knocks State Department for Thousands of Zombie Accounts

Kumpol Chuansakul/

Most of the inactive accounts have been dormant for more than a year -- in violation of agency policy.

The State Department’s unclassified computer networks are cluttered with more than 2,000 inactive user accounts that the agency has failed to properly shut down and which hackers could exploit to gain access to State's networks.

Most of the inactive accounts have been dormant for more than a year, according to an inspector general report originally marked “sensitive but unclassified” and publicly released June 3.

Of the 40,794 domestic accounts listed in State’s digital directory, the IG discovered 2,601 accounts had not been disabled after 90 days of inactivity as mandated by agency policy. The majority of those accounts -- 1,932 -- had been inactive for more than a year.

Unused accounts left running on a network can be exploited by hackers “to gain access to sensitive information that could compromise the integrity of the department’s network and cause widespread damage across the department’s IT infrastructure,” the report stated.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

The risks are heightened with inactive accounts that have administrative privileges, the IG said.

The accounts surveyed by the IG included both user accounts as well as mailbox accounts (which are tied to user accounts, though technically separate) and other nonuser accounts used to run services on specific applications and servers.

State lacks a centralized process for managing user accounts, the IG reported, and relies on individual system administrators to manually disable active accounts rather than an automated process that can scan for and disable zombie accounts.

This isn’t the first time the IG has warned State of the risks of idle accounts, first raising the issue in a 2014 review of the agency’s information security practices. However, the IG says State hasn’t taken action to address its recommendations, including putting in place a centralized system to track user accounts.

State does not concur with the IG’s longstanding recommendations, according to an agency response included in the report.

The agency response pointed to State’s expansion of two-factor authentication -- requiring employees to use personal identity verification smart cards to log on to the agency’s unclassified networks. So far, State has implemented two-factor across all domestic workstations and plans to complete worldwide rollout over the next three years.

The department’s response also said it was turning its focus to reducing the number of privileged user accounts and that it “continues to routinely delete stale accounts,” including through a monthly scrub of inactive accounts.

The IG said the results of its review show the agency’s efforts to identify stale accounts are “ineffective” and that the focus on smart cards won’t fully address the risks of inactive user accounts.

Last year, the State Department requested $10 million in additional funding to rebuild both its classified and unclassified networks following a high-profile hack in the fall of 2014 of the agency’s unclassified network purportedly by Russian hackers. The breach forced the agency to disconnect its unclassified email system. The same hackers also broke into unclassified White House networks around the same time.

The audit was conducted by independent public accounting firm Williams, Adley & Company, LLP, on behalf of the IG’s office.