On September 18, the U.S. State Department confirmed that one of its email systems was attacked. It didn't follow up with many details—except to say that the personal information of some of its employees could have been compromised.

The U.S. government has been a hot target for hackers for a while. In late 2014, Russian hackers and the NSA fought for control of State Department servers. This rolled over into the 2016 presidential campaign, with evidence supporting Russian meddling with DNC servers.

In 2009, a breach affected 76 million National Archives and Records Administration (NARA) records. Three years prior, the U.S. Department of Veterans Affairs was hacked, exposing 26.5 million accounts.

The list just keeps growing. In the past decade, more than 348 million records have been exposed in over 10 major data breaches.

Why does history keep repeating itself? Why hasn't the U.S. government been able to secure its user data?

If the State Department isn't setting high standards, where can teams look for expert guidance on securing sensitive personal data? This piece highlights gaps in current practices and provides examples of what innovative teams like Reddit and Instagram are doing to raise the bar.

Where the State Department (and Other Teams) Fall Short in Securing Personal Data

By many accounts, the U.S. State Department has fallen short in managing its sensitive data. A lack of two-factor authentication (2FA) is one reason it's not up to date. We'll dig into this in just a minute.

The State Department also doesn't have a strong record of communication surrounding data breaches.

Why is this important? Communication is key to clarifying an incident internally, taking action, and enlisting users to help in the solution.

After the September 2018 breach, the response was slow to roll out — and once it did, it was vague.

U.S. State Department Information About Potential PII Breach

[Source]

The email noted that “activity of concern . . . affecting less than 1% of employee inboxes” had been detected and that steps had been taken “to secure [the] system.”

The State Department also determined that “certain employees' personally identifiable information (PII) may have been exposed” and said that those affected had been notified.

This leaves several questions unanswered: How many accounts were actually compromised? What data was taken? What is the State Department doing to be sure this doesn't happen again? The lack of clarity isn't helpful to anyone involved.

Following the email breach, the department “convened a task force to examine the incident” but didn't reach a conclusion, according to Politico.

The government isn't the only one botching responses to data breaches. T-Mobile also missed the mark following its recent attack.

It quickly sent out text messages meant to give people a heads-up about the incident — but it looked like more phishing to many recipients.

T-Mobile Tweet about breach resembling phishing

[Source]

With a growing number of data breaches (more than 580 million exposed records in the past five years), it's hard for all organizations — in both the public and the private sector — to keep pace. Yet a few teams are managing to outshine the rest. Leaders across industries should take note.

Take a page from Reddit

The State Department (and other teams) could take a page from how Reddit handled its recent data breach.

Reddit Breach Announcement and description of events

Reddit Breach Announcement of what Reddit is doing about it

[Source]

Reddit found out about the breach on June 19, 2018. It had occurred between one and five days prior, and Reddit published this information shortly after.

The statement was timely and thorough. The company outlined exactly how the attack occurred (a vulnerability in its SMS 2FA software), what the hacker was able to access (read-only access to Reddit backup data, source code, and other logs), and what the website has been done to fix things (lock down and rotate all production secrets and API keys and enhance its other security systems).

Although divulging any security attack isn't pleasant, the level of detail that Reddit provided helped rebuild trust in its team and deliver a measure of ease in a stressful situation.

You don't have to be a billion-dollar company like Reddit to take note of these strategies. Teams of all sizes can and should invest in updating their security practices.

Instagram Steps Up with Two-Factor Authentication

Reddit is one good example of how to handle a data breach. Instagram is also stepping up its game in this arena by introducing two-factor authentication for its users.

How to enable 2FA on Instagram from profile settings

[Source]

Simply go into Settings, navigate to Two-Factor Authentication, and turn the feature on.

From there, you can select your security method, including text-message codes or an authentication app like Duo.

Instragram 2FA Control Panel integrating with Duo Mobile

Auth0 also offers its own authentication app, Guardian.

The new security log-ins specifically help guard against SIM swapping, which has been rampant on Instagram lately. In a SIM swap (also called a SIM hijack or a port-out scam), criminals target Instagram users with short or unique usernames. They're able to steal the victims' accounts by obtaining their cell-phone numbers. This allows them to reset passwords on any account linked to that number.

Instagram also has a large incentive to up its security measures following a slew of recent scandals, including Cambridge Analytica, Facebook's disinformation incident, and the latest Facebook access-token security breach.

Instagram Could Drive Greater Adoption of 2FA

A recent study shows that 2FA adoption still hovers below 30% — and over 90% of Gmail users still haven't adopted 2FA, despite its numerous security benefits. Because two-factor authentication requires a second form of identification (e.g., a phone or another hardware device, such as a USB drive; or a biometric, such as a thumbprint or facial recognition), it decreases the chances that an attacker can impersonate a user.

The issue with 2FA is that getting comfortable with it is difficult. Users usually have to navigate to turn it on themselves. This can often be a very technical process that turns less advanced users off. They prefer to stick with what they know.

With Instagram's improved user experience of 2FA, it could drive more widespread adoption of the feature. Instagram has 1 billion monthly active users and is the fastest growing social media platform.

Its users are extremely comfortable with the app. Most are on it about 30 minutes per day. Teenagers, in particular, are power users. Sixty-three percent of 13- to 17-year-olds use Instagram daily.

The more comfortable Instagram users become with 2FA, the more likely they are to adopt it in their other apps.

Time to Make Updates

Taking steps to improve your security, no matter what your size or industry, is essential. Whether this is by incorporating two-factor authentication, improving communications around a recent incident (or in preparing for one), or outsourcing some or all of your needs for advanced identity and access management, you can (and must) start somewhere.

In today’s rapidly evolving threat environment, with an increasing number of incidents and accounts compromised, keeping yourself informed and taking advantage of new tools and features will help secure your users as you grow.

About Auth0

Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of enterprise customers with a Universal Identity Platform for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 1.5B logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its customers that are located in 70+ countries.

For more information, visit https://auth0.com or follow @auth0 on Twitter.