An email server containing “sensitive but unclassified” data belonging to the State Department was breached, the government agency announced earlier this month. The information included personally identifiable information of an undisclosed number of employees who have since been notified.

While the breach itself is relatively minor, it highlights the relative lack of progress made by the department to enact more rigorous security measures, despite repeated hack attempts and security breaches. A study released by the Government Accountability Office earlier this year showed that the State Department has deployed two-factor authentication to only 11% of the devices used by staff. Two-factor authentication is a legal requirement and also considered a bare minimum protocol for cybersecurity protection.

The State Department has long been the target of hackers, specifically from hackers with connections to Russian spearphishing campaigns. This includes a months-long 2014 incident  that has been described as the digital equivalent of “hand to hand combat” with cyber attackers. Oregon Senator Ron Wyden went so far as to send a letter to Secretary of State Mike Pompeo urging him to “improve compliance by enabling more secure authentication mechanisms across the Department of State’s information systems.”

Cybersecurity has been a requirement at the federal level since the passage of the Federal Cybersecurity Enhancement Act of 2015, which became law in the wake of the catastrophic breach of the Office of Personnel Management that exposed the records of 21 million employees.