Politics

Sen. Pat Toomey’s Campaign Latest Political Email Hacking Target

Targeted email accounts have been dormant for over a year

Sen. Pat Toomey, R-Pa., was the latest senator to be targeted by a foreign phishing scam. (Bill Clark/CQ Roll Call file photo)

Sen. Patrick J. Toomey is the latest U.S. politician to announce his campaign was the target of an attempt to hack into its emails.

Google notified Toomey’s office that “hackers from a nation state may have attempted to infiltrate specific email accounts associated with his campaign apparatus” through a phishing scam, Steve Kelly, a spokesman for the Pennsylvania Republican, said in a statement.

“This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” Kelly said. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.”

The attacks were not successful. Toomey’s Senate office has not been the target of similar hacking attempts.

Google has not elaborated on the basis of their claim that the hackers may have had ties to a nation-state.

Toomey’s campaign is an odd target for an email phishing attack since he isn’t up for re-election until 2022. He folded up his campaign shortly after winning a second term in 2016.

The email accounts that were targeted are “dormant,” Kelly said, and “haven’t been active in over a year.”

Toomey’s staff was only made aware of the phishing attempt after the campaign’s email administrator received a message from Google about the attack and relayed it to Toomey’s chief of staff.

Toomey isn’t the only senator to receive attempts to infiltrate his email network.

Russia-based GRU, the Kremlin-linked intelligence agency responsible for hacking Democratic National Committee emails in 2016, unsuccessfully attempted a phishing scam on Missouri Sen. Claire McCaskill in February.

Sen. Jeanne Shaheen of New Hampshire has also been targeted by phishers. The FBI and Senate Sergeant at Arms are still working to determine the perpetrators of the attacks on Shaheen.

The episodes with McCaskill, Shaheen, and now Toomey have forced senators to reckon with their security measures in place.

While House staffers are required to take a training course on cybersecurity, their colleagues in the Senate are not.

The SAA is in charge of many of the technical support services and offers regular cyber awareness trainings to staff in lawmakers’ offices, on committees and back home in the states. Sergeant-at-Arms Michael Stenger said in May the SAA had hosted 52 such seminars since the start of 2017.

But there are thousands of users with access to the Senate networks, and policies vary among offices. Turnover, including thousands of interns cycling through each year, makes enforcement of a blanket security policy a challenge.

Both Republicans and Democrats indicated last month they have work to do to ensure attacks like the thwarted one against McCaskill are not successful in the future.

“The cybersecurity threat is very real, and frankly we haven’t stepped up and done what I think we should do to deal with it — which should be an all government response,” Senate Majority Whip John Cornyn of Texas said in July.

Katherine Tully-McManus contributed to this report.

Get breaking news alerts and more from Roll Call on your iPhone or your Android.