United States Postal Service employees are the latest to potentially have personally identifiable information exposed after the independent agency announced Monday that some of its systems had been breached.
According to a statement from USPS spokeswoman Sue Brennan, the FBI and other federal and postal investigatory agencies are probing a cyber intrusion into some of the agency’s information systems. The agency also brought in private sector experts to assist in attack analysis and system strengthening. Additionally, the agency said it was working with the Department of Homeland Security’s Computer Emergency Readiness Team.
The public announcement of the breach comes almost two months after the USPS’ Office of Inspector General notified the agency that its systems had been compromised. According to Brennan, the agency found out about the breach in mid-September but is still investigating the exact date of the initial intrusion. The USPS OIG declined to comment on how it learned about the breach.
USPS customers should not fear, though, the agency said. The breach potentially compromised personally identifiable information about employees — not about customers.
In a video message to employees, Postmaster General Patrick Donahoe said the names, dates of birth, social security numbers, addresses, emergency contact information and dates of employments for any current postal employee and any employee who left the agency after May 2012 could be at risk. In addition to USPS employees, Postal Regulatory Commission and OIG employees’ data may have also been compromised due to a shared payroll system between the entities.
It’s also possible the network intruder accessed information about customers who contacted the Postal Service call center this year between Jan. 1 and Aug. 16. The data compromised could consist of names, addresses, telephone numbers, email addresses and any other information that customers may have provided, according to Brennan’s statement.
However, just because employees’ personally identifiable information was compromised doesn’t mean the data was actually stolen from the network, Donahoe said. At this point, though, the agency cannot rule out any data theft.
“We’ve seen no evidence that any of this information has been used for malicious activity, nor for identity theft,” Donahoe said in the video. “This incident impacts every employee in the organization, including me.”
Brennan declined to speculate on who could be behind the attack and cited the ongoing investigation.
According to a statement from Rep. Elijah Cummings, D-Md., the ranking member on the House Oversight and Government Reform Committee, USPS officials briefed the committee’s staff on the breach on Oct. 22 and Nov. 7. Despite receiving the information before it was made public, Cummings asked the agency to provide more information by Dec. 19.
“The information provided in these classified settings was helpful in conveying information about the potential attackers in this case and the possible scope of their destructive actions,” Cummings said. “The Postal Service’s knowledge, information and experience in combating data breaches will be helpful as Congress examines federal cybersecurity laws and any necessary improvements to protect sensitive consumer and government financial information.”
Cummings asked USPS to provide a description of the attack, the type of data breached, the findings from any forensic investigative analysis, a description of data security policies and procedures, and data protection improvement efforts.
Although statements from the USPS and postmaster general addressed some of Cummings’ request, more information is expected as the investigation continues. The agency has reportedly put new security measures in place, which Donahoe said caused some of the agency’s networks to go dark for a period of time over the weekend.
“We’ll also roll out other new security measures in the coming days and weeks, some of which are changes in policies and procedures, so stay tuned for that,” Donahoe said.
House Oversight Committee Chairman Darrell Issa, R-Calif., and Postal Service Subcommittee Chairman Blake Farenthold, R-Texas, said in a joint statement that the breach “has put the personal information of Americans at risk.”
“The committee is deeply concerned about this cyber attack, and will continue to press the Postal Service for answers about how hackers were able to pierce the agency’s security protocols,” they said. “Additionally it underscores the dire need for information security reform, which the committee has pursued through FISMA reforms.”
The latest USPS breach comes more than a week after White House officials disclosed an unclassified network breach that inspired some members of Congress to renew calls for reform to the Federal Information Security Management Act.
Senator Tom Carper, D-Del., the chairman of the Senate Homeland Security and Government Affairs committee, said in a release Monday evening that the breach is further proof that the government is targeted just as much as the private sector.
“This unfortunate incident should serve as a reminder for agencies of all kinds to shore up their cyber defenses and put stronger protections into place to become more resilient and prevent similar attacks from happening,” Carper said. “It should also remind those of us in Congress of the very real and growing threat of cyber attacks. We must do all that we can to help agencies, industry and consumers be better prepared.”
Carper also called on Congress to take on the three cyber bills the committee has pushed through before the end of the 113th Congress’ term. The legislature returns Wednesday for the lame-duck session after a several month recess.
“We need to redouble our efforts when we return this week and get these bills signed into law before the end of the year,” Carper said. “While these bills are a vital part of our effort, our work is far from finished.”
In response to the breach, the agency will offer each employee a comprehensive credit-monitoring product for one year. According to Brennan, the cost of the product will depend on how many employees decide to use it.
Donahoe closed his video message with an apology to USPS employees “that the whole organization has been victimized.”
“The Postal Service has put a lot of effort over the years to protect our computer system, and the bad guys have not been successful until now,” Donahoe said. “We’re a resilient organization, and we’ll get through this.”
Calls to USPS Chief Information Security Officer Chuck McGann were not returned by publication time.