U.S. Postal Service Confirms Data BreachEmployee, Customer Information Potentially Compromised
In a Nov. 10 statement, which provides few details, USPS says it recently learned of a "cybersecurity intrusion" into some of its information systems. All operations are now functioning normally, according to the statement.
More than 800,000 employees were impacted in the breach, says David Partenheimer, spokesperson for the USPS. Employee information potentially compromised includes names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information.
Customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1 and Aug. 16 were also potentially affected, although USPS is still investigating the exact number of individuals impacted, Partenheimer says. Potentially compromised customer details include names, addresses, telephone numbers and e-mail addresses.
CNN, citing a U.S. official familiar with the breach, says 2.9 million postal service customers were affected by the breach.
Transactional systems in post offices, as well as on usps.com, where customers pay for services with credit and debit cards, have not been affected by the breach, USPS says. There is also no evidence that any customer credit card information from retail or online purchases, such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised, officials say.
Some news reports are indicating China may be behind the attacks, but Partenheimer says he cannot confirm that because "the source of the intrusion is under investigation."
But security consultant Richard Stiennon, author of Surviving Cyberwar, doesn't suspect China is behind the USPS breach. "They are still in the espionage and reconnaissance phase of their cyber-evolution," he says. "On the other hand ... one has to question the timing of the notification considering that President [Obama] arrived in China today."
Karl Rauscher, ambassador-at-large and chief architect for cyberspace policy at the Institute of Electrical and Electronics Engineers, says that cyber-attacks, like the one that targeted USPS, are becoming more sophisticated, "and even those best capable of reacting to them are overwhelmed. Cybersecurity today is typically practiced in a reactive posture to an ever growing number of threats."
No Evidence of Fraud
The USPS says it's not aware of any evidence that any of the potentially compromised customer or employee information has been used to engage in malicious activity.
But Dan Waddell, director of government affairs at (ISC)2, a global information security training and certification organization, warns that the incident, which involved the theft of e-mail addresses, could lead to targeted spear-phishing attacks. "USPS employees should be on the lookout for any suspicious e-mail that would serve as a mechanism to extract additional information, such as intellectual property, credit card information and other types of sensitive data," he says.
Impacted individuals are being offered one year of free identity theft protection services, Partenheimer says.
In addition to the FBI, the USPS is working on the investigation with the Department of Justice, the USPS Office of Inspector General, the Postal Inspection Service and the U.S. Computer Emergency Readiness Team. Private-sector specialists have also been brought in to assist in the investigation and remediation.
"We have recently implemented additional security measures designed to improve the security of our information systems, including certain actions this past weekend that caused certain systems to be offline," Partenheimer says. "We know this caused inconvenience to some of our customers and partners, and we apologize for any disruption."