Postal Service reveals cyber breach

The September attack, made public Nov. 10, potentially puts customer and employee personal information at risk, including addresses, Social Security numbers and emails.

gloved hands

The Postal Service suffered a cybersecurity breach of its information systems and has launched an investigation into the attack that potentially compromised employee and customer personal information, including addresses, Social Security numbers and emails.

The Nov. 10 announcement of the attack, which was discovered in September, comes little more than a week after the White House reported it too had been the victim of hacking.

As in the White House breach, in which Russia was the suspected culprit, suspicion immediately fell on a foreign power -- in this case China, where President Barack Obama is now attending an economic summit and visiting with President Xi Jinping.

"This intrusion was similar to attacks being reported by many other federal government entities and U.S. corporations," David Partenheimer, manager of media relations at USPS, said in a statement. "We are not aware of any evidence that any of the potentially compromised customer or employee information has been used to engage in any malicious activity."

But a private sector analyst suggested employees should be on the lookout, nonetheless.

"Unfortunately, this breach is just the latest in a series of incidents that have targeted the U.S. government," said Dan Waddell, director of government affairs at (ISC)2. "It seems this particular incident revealed information on individuals that could lead to targeted spear-phishing attacks towards USPS employees."

"All of us need to be aware of potential phishing schemes," Waddell added, "but in this particular case, USPS employees should be on the lookout for any suspicious email that would serve as a mechanism to extract additional information such as USPS intellectual property, credit card information and other types of sensitive data."

Call center data submitted to the Postal Service Customer Care Center by customers via email or phone between Jan. 1 and Aug. 16, 2014, is thought to be compromised; that includes names, addresses, telephone numbers, email addresses and other information customers provided to the center. However, USPS officials said they do not believe customers who contacted the call center during that period need to take any action as a result of the incident.

USPS is working with the FBI, Justice Department and the U.S. Computer Emergency Readiness Team to investigate the breach.

USPS is also tapping the private sector and bringing in specialists in forensic investigations and data systems "to assist with the investigation and remediation to ensure that we are approaching this event in a comprehensive way, understanding the full implications of the cyber intrusion and putting in place safeguards designed to strengthen our systems," according to an agency statement.

According to an April 2014 USPS Inspector General audit on the security of USPS's wireless networks, "the Postal Service has effective security policies and controls that detect unauthorized access to its wireless network."

The audit also found that USPS has continuous monitoring technology and procedures to ensure security of the wireless network in place, and that larger USPS facilities have dedicated access points configured for wireless intrusion detection.

As for the security of USPS's stored data, the OIG found several weak spots in a March 2014 report.

"The Data Management Services group did not manage the storage environment in accordance with Postal Service security requirements because its managers did not provide adequate oversight of the storage teams," the report said.

In the first half of 2014, more than 500 million commercial records have been compromised by hackers, and "this represents another example of the aggressive nature of nation-state adversaries looking for personally identifiable information for potential phishing attacks and other types of fraud -- an area where information can be easily monetized," said Edward Ferrara, principal analyst at Forrester. "This could also be an attempt to further probe aspects of the United States government's cyber defenses in the unclassified areas of government operations."

USPS has implemented additional security measures to improve the security of its information systems, which attracted attention this weekend, as some of USPS's systems went offline. According to USPS, these additional security measures include equipment and system upgrades, as well as changes in employee procedures and policies to be rolled out in the coming days and weeks.

"It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity," Postmaster General Patrick Donahoe said in a statement. "The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data."