The breach may have compromised employee personal information in less than 1 percent of email inboxes.
The State Department detected unusual activity in its unclassified email system that may have compromised some employees’ personal information, a department spokesperson confirmed to Nextgov Tuesday.
The “activity of concern” affected less than 1 percent of State employee email inboxes, the spokesperson said. There’s no evidence of unusual activity affected State’s classified email system, the spokesperson said.
The breach was first reported by Politico.
“This is an ongoing investigation and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment,” the spokesperson said, adding that “we will reach out to any additional impacted employees as needed.”
The department is providing three years of free credit monitoring and identity protection services to affected employees, the spokesperson said.
State has received consistently poor marks on information security audits, including a recent General Services Administration report, which found the department had only deployed multi-factor authentication—a standard protection against phishing attacks—across 11 percent of agency devices.
Another report from State’s inspector general found only one-third of overseas missions were conducting basic cybersecurity checks.
Those reports prompted a letter last week from a bipartisan group of senators asking how State is fixing its cyber vulnerabilities.
Among other things, the letter asked for statistics about successful and unsuccessful breach attempts against State Department computer systems located abroad during the past three years.