Compensation files for U.S. Postal Service workers might also have been breached during a recent hack that exposed the Social Security numbers and other personal data on about 800,000 USPS employees, a postal inspector said Wednesday.
At a House hearing on the agency's controversial "mail cover" envelope-surveillance program, the cyber intrusion, which postal officials revealed last week, dominated discussion.
"We’re still conducting forensic analysis of the impacted servers," said Randy Miskanic, incident commander on the case and the USPS secure digital solutions vice president. "There is the possibility of additional compromise, specifically as it relates to some workers’ compensation files.”
The Department of Homeland Security alerted the Postal Service to suspicious activity on several servers on Sept. 11, more than two months ago.
Some lawmakers voiced concern about the delay in notifying affected employees. Agency officials said they held off on coming forward, because Oct. 17, the FBI said that communicating the threat or disinfecting systems could let the “very sophisticated” attacker drill deeper into the Postal Service network.
Some Congress members were dissatisfied with that rationale.
“The secret squirrel stuff -- we have to figure out how sophisticated these people were and what information they’ve got -- that doesn’t fly,” said Stephen Lynch, D-Mass., ranking Democrat on the House Oversight and Government Reform's subcommittee on the federal workforce, which held the hearing.
Legislation perhaps should be introduced "to make sure you cough up that information,” Lynch suggested.
The Postal Service voluntarily held two classified briefings for the committee, on Oct. 22 and Nov. 7, according to lawmakers and the agency.
"The way this should work is, as soon you know that a file has been compromised and it contains personally identifiable information -- Social Security numbers -- that employee should be notified," Lynch said. "If we go with your plan, a U.S. government agency could have the Social Security numbers for all its employees compromised and you’ll decide based on your own interests when the employees will be notified.”
Postal officials said they did not know until Nov. 4 that any files holding employee personal information had been copied.
In total, 100 machines were penetrated, out of the agency's 25,000 servers and 200,000 workstations.
The employee data affected includes potentially, names, dates of birth, Social Security numbers, physical addresses, employment start dates and termination dates, emergency contacts and other personal information.
The attackers also netted less-sensitive data on many customers. About 2.9 million records from citizens who contacted the USPS call center by telephone or email between Jan. 1 and Aug. 16 were accessed. These customers might have had their names, physical addresses, phone numbers, email addresses and other information stolen.
Officials said they are not yet aware of any evidence the pilfered data has been used to commit fraud.
USPS is providing free credit monitoring to employees, including Postal Regulatory Commission personnel, whose payroll data was housed in the same system.
Miskanic could not comment on the identity of the attackers, but described them as the type that are "well-resourced and have a long time period to effect their activities." So-called advanced persistent threat actors also recently breached a White House unclassified network and the State Department's unclassified email system.
The USPS hack is one of many infiltrations of federal networks that occurred in September and October, including incidents at the National Oceanic and Atmospheric Administration, the White House and State.
USPS is tight on funding in all areas of operation, reporting a $5.5 billion loss in fiscal 2014. Declining mail volume and congressionally mandated payments to fund future retirees’ health benefits primarily accounted for the shortfall, according to the agency.
One of the Postal Service's top cybersecurity officials is departing soon, but according to USPS, the retirement is unconnected to the hack. Charles McGann, the head of the agency’s Corporate Information Security Office, is stepping down after 27 years with the agency.