The FBI found that the email account was used to discuss classified matters — contrary to earlier claims from Clinton — and that she "extensively" used her personal email for work messages while in areas outside the United States, where she might be at greater risk of digital attack, Comey said. And perhaps most damningly, Clinton's email setup was missing a basic layer of protection, according to Comey: a full-time security staff.
Having a team of people guarding a system against breaches and attacks is standard practice within government agencies and even commercial services such as Gmail and Yahoo. Clinton's lack of that security measure raised alarm bells for Tom Cross, the chief technology officer at cybersecurity firm Drawbridge Networks.
"Particularly when you're dealing with this high profile of a target, you absolutely need a human being who really understands how the attacks you could be facing work and is constantly hunting to see if there are problems," he said.
It's important to note that the FBI didn't say Clinton's email system was breached. In fact, Comey said the investigation "did not find direct evidence" that it was hacked. But he was also clear that doesn't mean it wasn't hacked, saying that the investigation would be unlikely to find direct evidence of an infiltration because of the sophistication of some digital hackers out there.
The email accounts of such high-profile figures as Clinton are almost constantly targeted by state-sponsored hacking groups, according to Cross. "It's a good idea not to underestimate the technical ability of those adversaries — and they certainly can clean up their tracks once they've successfully compromised something," Cross said. In some cases, the hackers can go undetected for months or years within a system, he noted.
That's one reason that even though the FBI didn't find direct evidence of a breach, it ultimately determined it was "possible that hostile actors gained access to Secretary Clinton’s personal email account," Comey said.
Of course, even if Clinton was using an official government email account, there's no guarantee it would have been safe from hackers. The federal government has suffered a number of significant breaches in recent years, including the massive breach at the Office of Personnel Management disclosed last year. The State Department itself has even had its own issues with hackers digging around in the agency's unclassified email system.
But those government networks were at least scrutinized by teams on the lookout for those types of attacks. The lack of oversight and clarity about the security measures protecting Clinton's system makes it even harder to figure out whether the incredibly sensitive information it stored was kept out of enemy hands.
"There's just no way to be sure," Cross said.