The Peace Corps’ digital environment is riddled with weak spots – from exposed sensitive files to critical phishing gaps – leaving data and agency systems vulnerable to threats, a watchdog warned.
After conducting a cybersecurity test that penetrated four critical IT systems, the Peace Corps’ Office of Inspector General (OIG) said that it “uncovered multiple vulnerabilities and misconfigurations, ranging from informational issues to critical severity risks,” warning in a new report out Friday that those vulnerabilities need immediate attention.
“The Peace Corps’ information technology network and systems contain extensive data and information that are essential to agency operations, including applicant and Volunteer health information and personally identifiable information of staff and Volunteers,” the report says.
The agency’s IT infrastructure includes its headquarters in Washington, D.C., and around 57 other locations across the world, which hold data on more than 3,300 volunteers. The Peace Corps experienced three different cybersecurity breaches between 2022 and 2023, which led to improvements in its cyber defenses.
The OIG found that the Peace Corps’ monitoring capabilities identified the testing activities and demonstrated its incident response procedures. However, the report warns that more cybersecurity work is needed.
For example, some users had access to unauthorized Peace Corps data, and not all agency personnel could identify a phishing attempt, with nearly 6% of users clicking on a phishing test link.
“If a cyberattack targeted the Peace Corps and resulted in system outages and data loss, it could have a catastrophic impact on the agency by compromising Volunteer safety, interfering with staff productivity, and negatively affecting the Peace Corps’ reputation,” the report warns.
To tackle mounting cyber risks, the OIG urged the Peace Corps to lock down critical system access, strengthen phishing defenses with better tools and training, create and track remediation plans for high-severity flaws, and institutionalize routine penetration testing and cross-team cybersecurity expertise – steps aimed at keeping mission-critical data secure despite global operations, legacy tech, and tight budgets.
More specific steps to address vulnerabilities found in its latest penetration tests include institutionalizing cybersecurity by embedding specialists within operations teams, making penetration testing routine, strengthening oversight of remediation plans, cross-training staff, and boosting collaboration with federal partners and vendors to speed detection and response.
OIG officials said that the Peace Corps Office of the Chief Information Officer has already made progress on addressing vulnerabilities found by the OIG.
“By addressing these identified vulnerabilities, in conjunction with validating that its systems and tools are properly configured and functioning, the Peace Corp will be able to realize the intended benefits of this review and continue to enhance its IT environment,” the report says.