Hillary Clinton’s Email Account Unencrypted and Vulnerable During China Trip

March 12, 2015 Updated: June 24, 2015

Within the Hillary Clinton email storm of controversy emerges another potentially major security threat: Clinton’s private server—which she has come under fire for using for personal and work-related emails—could have been compromised by Chinese hackers, experts say.

For three months at the start of her term as secretary of state in 2009, Clinton’s server was not encrypted, leaving it vulnerable to eavesdropping by hackers.

And according to her travel history, on Feb. 20 that year, she took an inopportune two-day business trip to Beijing while her email was still unprotected.

Venafi, a private, Utah-based cybersecurity company, launched an investigation into Clinton’s private server to test a new product that uses forensic analysis. Its product team found that Clinton’s server lacked a digital certificate from January to March in 2009.

China and other countries outside of the United States have a built-in infrastructure of hackers, according to Kevin Bocek, Venafi’s vice president of Security Strategy and Threat Intelligence.

“The technology and techniques are more readily available and actually baked into the infrastructure in countries such as China,” said Bocek. 

He said the incident was “probably the most disturbing potential risk to U.S. national security.”

Clinton was especially vulnerable in early 2009 if she accessed her email while visiting China. Without encryption, her server was open to eavesdropping.

Worse, her login name and password could have been picked up for long-term access to the server.

[It’s] probably the most disturbing potential risk to U.S. national security.
— Kevin Bocek, vice president of security strategy, Venafi cybersecurity firm

Since Clinton’s email account at clintonemail.com was on a personal server and not maintained by security professionals, it’s likely she wasn’t required to change her password often. Therefore, if hackers got hold of her credentials, they might also have gained long-term access to her account.

Clinton would be none the wiser, either, if someone were accessing her account, said Bocek.

“The users of the email system wouldn’t know it, because the adversary would be accessing the email using the valid name and password,” he said.

Clinton would be none the wiser, either, if someone were accessing her account.

There have been reports that other members of Clinton’s staff also had accounts on her server, which would make them vulnerable too.

Whether Clinton was compromised or not depends on whether hackers went after her while she was vulnerable.

“In practice, unless somebody were specifically targeting her during the first three months of her term, it’s unlikely that that would happen,” said Jonathan Katz, director of the Maryland Cybersecurity Center.

The scenario does have precedence. In 2008, then-presidential candidates Barack Obama and John McCain were targeted by hackers in China who seized a number of internal documents. 

“Without encryption, everything Hillary Clinton sent or received in her email would be exposed to the Chinese government. There’s no doubt,” said Chao Yu, a network engineer and expert in the Chinese regime’s monitoring systems. “Especially if it’s Hillary Clinton.”

Still, those who are familiar with the Chinese Communist Party’s monitoring methods said that Clinton could have been hacked with or without encryption, and her server could even be accessed while she was still in the United States.