Michigan auditors who conducted a fake "phishing" attack on 5,000 randomly selected state employees said Friday that nearly one-third opened the email, a quarter clicked on the link and almost one-fifth entered their user ID and password.
The covert operation was done as part of an audit that uncovered weaknesses in the state government's computer network, including that not all workers are required to participate in cybersecurity awareness training. Phishing schemes - in which hackers try to deceive email recipients by posing as legitimate entities - can lead to identity theft and other problems.
The topic of the email was about an expired password, said Kelly Miller, state relations officer for Michigan's Office of the Auditor General.
Phishing was how Russian-linked players stole the emails of Hillary Clinton's presidential campaign chairman John Podesta.
Auditors made 14 findings, including five that are "material" - the most serious. They range from inadequate management of firewalls to insufficient processes to confirm if only authorised devices are connected to the network.
"Unauthorised devices may not meet the state's requirements, increasing the risk of compromise or infection of the network," the audit said.
The Department of Technology, Management and Budget agreed with many of the findings while partially concurring with some. It said the auditors' phishing email was reported to a "security tips" mailbox multiple times and there are other controls that may limit the effectiveness of such attacks.
The agency added that it is formalising a standard that adopts industry best practices for secure configurations, estimating it will be done in April.
"The data held within the state government network is safe and secure due to the many layers of protection in our security ecosystem," said spokesman Caleb Buhs, who said the state has already begun implementing many of the auditors' recommendations. "This audit provides us with a good roadmap for prioritising future technology infrastructure investments."
The audit, which covered a three-year period between 2014 and 2017, said the state did not fully establish and implement an effective process for managing updates to network devices' operating systems. Ten high- or medium-severity vulnerabilities were identified.
Overall, Auditor General Doug Ringler deemed state's efforts to design, administer and monitor a secure IT network as "moderately sufficient."
A Democratic critic of Gov. Rick Snyder's administration, Senate Minority Leader Jim Ananich of Flint, said "there is just no excuse for why Michigan's top officials have failed to protect our state from hackers."