The State Department was hit with an email breach that exposed the personal information of some of its employees.

The agency sent a notice, dated Sept. 7, which described the incident as “activity of concern … affecting less than one percent of employee inboxes” and adding the breach did not affect the agency’s classified email server, according to Politico.

“Governments and online companies that provide services online must secure all the links in their security chain,” Ryan Wilk, vice president of customer success for NuData Security, said. “Bad actors look for the weakest point to access information, so companies have to be extra diligent in keeping their security up to date on all placements.”

Wilk added companies that identify users online, need to devalue the data that bad actors steal and use to misrepresent legitimate users – like they do in account takeover attacks.

He said that personally identifiable information such as names and passwords become valueless to cybercriminals when organization create a new authentication framework that identifies customers by their online behavior instead of relying on credentials.

This will allow them to still recognize the person behind the device or block transactions altogether when fraud is detected. The department did not say whether or not they know who was behind the breach.

Some security professionals pointed out that this breach could send the wrong message to the private sector if the federal government openly flouts their own flaws.

“While we don’t know at this time if multi-factor authentication would have prevented this breach, it’s absolutely shocking that the State Department would shirk their responsibility to comply with the Federal Cybersecurity Enhancement Act of 2015 which mandates its use,” Matt Chiodi, Chief Information Security Officer at  RedLock said.

“It seems that despite multi-factor authentication being a best practice as well as a law for years, no one is holding the State Department accountable outside of a recent letter sent by a bipartisan group of senators.”

Chiodi added that unfortunately the State Department isn’t alone in their security practices and experts agree, two-factor authentication may have played a part in the breach.Tripwire Security Researcher Craig Young said multi-factor authentication can greatly reduce the chances of compromises like this. 

“Password based security is an entirely insufficient at protecting large numbers of users from determined attackers,” Young said. “A long history of major breaches has thoroughly demonstrated that people generally stink at selecting passwords and tend to use the same (or similar) passwords across many sites. Systems which authenticate users based solely on a password are simply not secure.”