Posts

USPS Data Breach: Neither Snow nor Rain nor Heat nor Gloom of Night Keeps Intruders from Their Appointed Rounds

Employment with the US Postal Service was once considered the benchmark of job security. The same cannot be said of the security of their personal employee data.

According to USPS officials, a recent breach affects the entire staff of 800,000 postal workers. The data exposed includes “names, dates of birth, Social Security numbers, addresses, dates of employment and other information”. Fortunately, “other information” does not include credit card numbers, though as a precautionary measure, USPS employees will be given one free year of credit monitoring.

The only compromised customer data involves “customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014 and Aug. 16, 2014. This compromised data consists of names, addresses, telephone numbers, e-mail addresses and other information for customers who may have provided this information.” In a formal statement, the USPS asserts that “we do not believe that potentially affected customers need to take any action as a result of this incident”. USPS officials emphasize that no financial systems within USPS facilities or USPS affiliates were affected (such as USPS.com, Click-N-Ship, the Postal Store, PostalOne!, FedEx or UPS) .  Lastly, Passport application data was not compromised.

Unlike other recent breaches involving retailers Home Depot and Target, the suspected instigators of the breach are the Chinese Government, who (along with the NSA) are notorious for their intrusion attempts on government information systems (they deny the accusation). James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies, states that “they’re just looking for big pots of data on government employees” as “a way of building their inventory on U.S. persons for counterintelligence and recruitment purposes”. He also notes that “China would be interested in amassing large sets of data that can be analyzed for previously unknown links or insights”. Lastly, Lewis notes that the Chinese Postal services, unlike the USPS, holds large amounts of data on its citizens, and that they may have incorrectly assumed the same of USPS and overestimated the nature and type of data available.

The USPS has come under fire for their reporting of the breach – particularly the fact that the breach occurred in August but was not reported until recently. House Oversight and Government Reform Committee Chairman Darrell Issa (R-CA) and House Oversight Committee Subcommittee on Postal Service Chairman Blake Farenthold (R-TX) are leading the charge. The committees released a joint statement using terse language: “…the Committee understands the Postal Service has known about this attack since September and presented this information to Congress several weeks ago, but did so as a classified matter. The Committee will be seeking information about why the Administration waited two months before making the news of this attack public and preventing victims from taking proactive measures to secure their own information. We have not been told why the agency no longer considers the information classified.”  In a letter addressed to Postmaster General Patrick Donahoe (himself a victim of the attack) ranking committee member Rep. Elijah E. Cummings (D-MD), went as far as to say that “The increasing number of cyber attacks in both the public and private sectors is unprecedented and poses a clear and present danger to our nation’s security.” In reply to the critics, the USPS states that “Communicating the breach immediately would have put the remediation actions in jeopardy and might have resulted in the Postal Service having to take its information systems offline again” (the latter statement refers to The Postal Service taking systems off-line on November 8-9 as part of their intrusion mitigation efforts).

Joining the USPS in the Incident Response are the Federal Bureau of Investigation, Department of Justice, the USPS Office of Inspector General, the Postal Inspection Service and the U.S. Computer Emergency Readiness Team. The FBI, in their own statement, urged the public to “report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.” An FAQ (Frequently Asked Questions) document is available from the USPS at http://about.usps.com/news/fact-sheets/scenario/customerFAQs_Final.pdf