The US Postal Service has joined the ranks of private sector companies and governmental agencies that have been breached and had data stolen by hackers.
According a statement released by the service on Monday, the attackers managed to find a way into some of their information systems, and have likely compromised personal information of some 800,000 current and past employees, as well as some data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014, and Aug. 16, 2014.
The latter need not take any action as a result of this incident, the USPS noted, but the former will be provided credit monitoring services for free for a year, and will be helped by the USPS’ Human Resources Shared Services Center, as their compromised information includes their name, date of birth, Social Security number, address and other information including beginning and end dates of employment, and emergency contact information.
“Postal Service transactional revenue systems in Post Offices as well as on usps.com where customers pay for services with credit and debit cards have not been affected by this incident,” they noted. “There is no evidence that any customer credit card information from retail or online purchases such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised.”
In the statement, the USPS doesn’t say when the intrusion was first discovered, but some officials have shared with The Washington Post that it was in mid-September.
“Communicating the breach immediately would have put the remediation actions in jeopardy and might have resulted in the Postal Service having to take its information systems offline again,” the USPS explained in a FAQ section on its site.
The disruption they are talking about happened during the weekend, when the service took some systems off-line as part of the cyber security intrusion mitigation efforts.
“We are working closely with the Federal Bureau of Investigation, Department of Justice, the USPS Office of Inspector General, the Postal Inspection Service and the U.S. Computer Emergency Readiness Team. The Postal Service has also brought in private sector specialists in forensic investigation and data systems to assist with the investigation and remediation to ensure that we are approaching this event in a comprehensive way, understanding the full implications of the cyber intrusion and putting in place safeguards designed to strengthen our systems,” they added.
The identity of the attackers is unknown, but apparently Chinese state-backed hackers are the main suspects.
“With the recent compromise of USIS, UPM and now the USPS employee data compromised, the question is why would attackers be after this type of data?” asked Tripwire security analyst Ken Westin. “Any data on government employees can be useful for espionage. It may not be the data itself, but when linked with other data, such as social security numbers, there are a great deal of insights that can be gathered through patterns and connections.”
“Unfortunately, this breach is just the latest in a series of incidents that have targeted the US government,” noted Dan Waddell, Director of Government Affairs at (ISC)2. “It seems this particular incident revealed information on individuals that could lead to targeted spear-phishing attacks towards USPS employees. All of us need to be aware of potential phishing schemes, but in this particular case, USPS employees should be on the lookout for any suspicious email that would serve as a mechanism to extract additional information such as USPS intellectual property, credit card information and other types of sensitive data.”