USPS employee, customer data compromised in cyber attack
The US Postal Service has admitted its IT networks have been compromised by computer hackers. Personal details of both customers and employees were potentially taken during the incident, USPS said yesterday.
The “intrusion” incident took place “recently”, the Postal Service revealed yesterday, without naming specific dates. USPS briefed Congress behind closed doors regarding the incident on 22 October, and it is believed the Postal Service knew about the attack as far back as September.
The Federal Bureau of Investigation along with the Department of Justice and other law enforcement agencies is now investigating, along with outside experts specialising in cyber attacks.
Postmaster General Patrick Donahoe said in a message to staff that because of the ongoing investigation and steps being taken to improve USPS security, information on the cyber attack could not be released publicly until now.
“A file containing employee information was compromised,” Donahoe said. “That file contains names, dates of birth, social security numbers, addresses, dates of employment and emergency contact information for all active employees.”
The file could also contain information on employees who left USPS after May 2012, the Postmaster General added.
The Postal Service is offering to pay for employees to undergo “comprehensive” credit monitoring for a year in order to protect them against possible identity fraud. Information that may have been compromised included names, addresses and social security numbers.
Donahoe said USPS had seen no evidence that the compromised data had been used for malicious activity or identity fraud.
Customer data
Customer details potentially taken in the cyber attack were those taken from people who contacted its call centre by phone or email between 1 January, 2014 and 16 August, 2014. The Postal Service handles about 83m customer inquiries a year.
Donahoe said no customer credit card or financial data was compromised.
In a statement to the media, media relations manager Dave Partenheimer said: “Postal Service transactional revenue systems in Post Offices as well as on usps.com where customers pay for services with credit and debit cards have not been affected by this incident. There is no evidence that any customer credit card information from retail or online purchases such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised.”
Partenheimer added that USPS did not believe customers needed to take any action as a result of the incident.
Security upgrades
The Postal Service said it was not aware of any data breaches related to supplier or contractor information.
Last weekend USPS systems were taken off line as part of its effort to upgrade security.
“We are instituting numerous additional security measures, some of which are equipment and system upgrades that will not be visible to users, and some are changes in employee policies and procedures that we will be rolling out in the coming days and weeks,” said the Postal Service.
USPS said it was part of a growing list of major companies and government agencies that have been attacked by hackers in this way.
“The entire leadership of the Postal Service is committed to taking steps to strengthen the security of its systems,” it said.
“The Postal Service has put a lot of effort in recent years into protecting its computer systems, and the bad guys have not been successful until now. You have my sincerest apology that this happened, you also have my commitment that we will help all of our employees deal with this situation,” said the Postmaster General.
“Serious”
Darrell Issa, the Republican Congressman who chairs the House of Representatives Oversight and Government Reform Committee, described the incident as a “serious security breach that has put the personal information of Americans at risk”.
He said his Committee would press the Postal Service for more answers about how hackers were able to penetrate security protocols.
“The Postal Service must do a better job securing the information of the American public,” said Issa.
“Furthermore, the Committee understands the Postal Service has known about this attack since September and presented this information to Congress several weeks ago, but did so as a classified matter. The Committee will also be seeking information about why the Administration waited two months before making the news of this attack public and preventing victims from taking proactive measures to secure their own information. We have not been told why the agency no longer considers the information classified.”
Democrat senator Tom Carper, who chairs the Senate’s Homeland Security and Government Affairs committee, said the hacking incident was “unfortunate” and a “reminder for agencies of all kinds to shore up their cyber defenses and put stronger protections into place to become more resilient and prevent similar attacks”.
Carper said Congress had to redouble its efforts to pass new cyber attack legislation before the end of the year. He said: “I am committed to continuing to work with my colleagues on both sides of the aisle, the Administration, and stakeholders to pass our legislation and additional measures that address this critical issue as soon as possible.”