Dive Brief:
-
A report from the State Department’s inspector general found the agency has more than 2,600 inactive user accounts remaining on the agency's networks.
-
The audit of the State Department’s digital directory, conducted by independent public accounting firm Williams, Adley & Company LLP on behalf of the IG’s office, found 2,601 accounts in State’s digital directory had not been disabled after 90 days of inactivity as required by agency policy.
-
Almost 2,000 of the inactive accounts had gone unused for more than a year, the report said.
Dive Insight:
Malicious actors could exploit inactive user accounts to gain access to the sensitive information housed in the systems and "compromise the integrity of the department’s network and cause widespread damage across the department’s IT infrastructure," according to the report.
The IG also criticized State for the lack of a centralized, automated process for managing user accounts and shutting them down when they have been unused for 90 days.
The State Department contested the report, claiming that it "continues to routinely delete stale accounts," according to the report.
Maintaining an accurate active directory is a growing challenge for both government and businesses. Failing to do so can present significant security concerns.
In April, a U.S. federal jury ordered Tata Consultancy Services to pay Epic Systems Corp. $940 million after a TCS employee used credentials from a previous contract to illegally access confidential data. The employee reportedly accessed an Epic Web portal using prior TCS credentials for more than two years and even shared the credentials with other TCS employees. In addition to the long-term unauthorized access, other people used the TCS employee’s credentials to download more than 6,000 documents and 1,600 files between June 2012 to June 2014.
