Clinton Email Fail: Worst Government Security Flubs
Hillary Clinton isn't the first politician to have committed a data compliance faux pas when it comes to email. CIOs, compliance departments, and privacy officers would do well to learn from the mistakes of those who screwed up before her.
![](https://eu-images.contentstack.com/v3/assets/blt69509c9116440be8/blt8090390feb27720e/64cb5765d29b3f3daa39f635/INTRO.jpg?width=700&auto=webp&quality=80&disable=upscale)
Hillary Rodham Clinton has been in the spotlight this month after reports emerged that she exclusively used a personal email account, instead of a government-issued one, to conduct official US business during her tenure as Secretary of State. The House Select Committee on Benghazi (already investigating Clinton) and the House Oversight Committee will now join to determine if Clinton violated any laws in failing to release emails.
Worse, Clinton's email was based on her own home server -- a matter that State Department technology staffers reportedly voiced security concerns over.
Many argue that the issue is overblown, noting that former Secretary of State Colin Powell, too, used personal email for government business when he held the post. Clinton critics maintain that precedence does not change data security issues.
"Personal emails are not secure," said Thomas S. Blanton, Director of National Security Archive, a government transparency advocacy group. "Senior officials should not be using them."
Indeed, several of Clinton's emails were leaked in March 2013 by Romanian hacker Marcel Lazar Lehel, a.k.a. "Guccifer," after he hacked the AOL email account of Sidney Blumenthal, a longtime Clinton family advisor. While Blumenthal held no official post at the time, he and Clinton shared sensitive foreign intelligence data, including information related to the 2012 Benghazi terror attacks.
(Around the same time as the Blumenthal/Clinton leaks, incidentally, Guccifer demonstrated that he had hacked Powell's AOL account as well.)
Other politicos have made mistakes, as well, when it comes to email security and compliance. On the following pages, you'll see three examples of government officials engaging in bad email behavior. Judge for yourself who made the bigger email blunder, and tell us what you think in the comments section below.
Paula Broadwell, biographer of then Director of the CIA David Petraeus, was found to be having an affair with her subject, and Petraeus had reportedly leaked classified information to Broadwell. The affair came to light during an FBI cyberstalking investigation. Petraeus family friend Jill Kelley was the subject of a cyberstalking campaign that was allegedly conducted by Broadwell. Of big help to the FBI's investigation was the fact that Broadwell shared a Gmail account with Petraeus. The two used the "Drafts" folder of the account to communicate -- deleting and replacing each message. Gmail metadata eventually led the FBI to Petraeus.
The scandal stalled -- if not ruined -- multiple careers. Broadwell lost her security clearance, and Petraeus was forced to resign. Petraeus is also facing two years of probation and a $40,000 fine subject to a plea bargain with the Department of Justice (DOJ) for unauthorized removal and retention of classified material.
When word got out that Sarah Palin had a Yahoo account, David Kernell got to work. Kernell, the son of a then state legislator in Tennessee, was convinced that there must be something "incriminating" against Palin lying around in her Yahoo email -- and he wanted to find it. Accordingly, he set to hacking into Palin's account.
Yahoo's password-reset mechanism allowed Kernell to access Palin's account and reset her password with some basic, publicly available (and easily accessible) information. As Kernell would later brag:
Palin isn't the only person to suffer the slings and arrows of poorly constructed security questions foisted upon users by online service providers. But Palin's tale should certainly serve as a warning to executives and officials tempted to use free personal email accounts to conduct official or sensitive business -- as well as to IT departments on how not to enable a password reset.
Lucky for Palin, her Yahoo account was devoid of anything "incriminating."
On February 10, "[i]n the spirit of transparency," possible 2016 Presidential contender Jeb Bush released a massive email dump (332,999 emails, to be exact) from his 1999-2007 tenure as Florida's governor. The emails were posted online in Outlook format at jebbushemails.com.
That website became an oasis for would-be identity thieves. Bush's staff neglected to redact constituents' sensitive information from the Outlook files. The Verge quickly pointed out that the emails were rife with people's personally identifiable information (PII), including names, home addresses, personal email addresses, phone numbers (home, work, and cell), dates of birth, social security numbers, and medical identification numbers.
More than 12,000 people's social security numbers were exposed in the email dump, and Bush's staff had to scramble to quickly remove those, and other personal data.
While Jeb Bush's gubernatorial emails are a matter of public record under Florida's Sunshine Laws, highly sensitive PII, such as social security numbers, is exempt from disclosure. To be fair, the State of Florida's records custodians could well be the ones to blame here. Bush's PAC insists that the emails were copied directly from state archive records as available under the Sunshine Laws.
On the other hand, as another politician with whom Bush is undoubtedly familiar liked to say, "Trust, but verify" -- good security advice for us all.
-
About the Author(s)
You May Also Like