The U.S. Postal Service yesterday announced that its systems were recently breached, exposing employees’ names, birthdates, Social Security numbers, addresses, dates of employment and emergency contact information.
The breach also exposed the names, addresses, phone numbers and email addresses of customers who contacted the Postal Service Customer Care Center by phone or email between January 1, 2014 and August 16, 2014.
“The privacy and security of data entrusted to us is of the utmost importance,” U.S. Postal Service manager of media relations David Partenheimer said in a statement [PDF]. “We have recently implemented additional security measures designed to improve the security of our information systems, including certain actions this past weekend that caused certain systems to be offline. We know this caused inconvenience to some of our customers and partners, and we apologize for any disruption.”
Partenheimer told SC Magazine that more than 800,000 U.S. Postal Service employees may be affected by the breach. “The number of customers impacted by calling the Customer Care Center is under investigation,” he said.
HyTrust president and co-founder Eric Chiu told eSecurity Planet by email that the breach serves as a reminder that data is the new currency — and that’s true for both customer and employee data. “In many ways, employee data is even more valuable because companies store very sensitive information like Social Security, contact, healthcare, and financial data on employees which can be used to hijack a person’s financial identity,” he said.
In a recent?letter [PDF] addressed to Postmaster General Patrick R. Donahoe, Rep. Elijah Cummings noted that the House Committee on Oversight and Government Reform had been briefed on the attack on October 22, 2014 and November 7, 2014, but asked for more information on the details of the attack and the Postal Service’s response to it.
“The increased frequency and sophistication of cyber attacks upon both public and private entities highlights the need for greater collaboration to improve data security,” Cummings wrote. “The Postal Service’s knowledge, information, and experience in combating data breaches will be helpful as Congress examines federal cyber security laws and any necessary improvements to protect sensitive customer and government financial information.”
The Washington Post reports that Chinese government hackers are believed to have been responsible for the attack. “For the Chinese, this is probably a way of building their inventory on U.S. persons for counterintelligence and recruitment purposes,” Center for Strategic and International Studies senior fellow James A. Lewis told the Post.
“Unfortunately, this breach is just the latest in a series of incidents that have targeted the U.S. government,” Dan Waddell, Director of Government Affairs at (ISC)2, told eSecurity Planet. “It seems this particular incident revealed information on individuals that could lead to targeted spear-phishing attacks towards USPS employees.”
“All of us need to be aware of potential phishing schemes, but in this particular case, USPS employees should be on the lookout for any suspicious email that would serve as a mechanism to extract additional information such as USPS intellectual property, credit card information and other types of sensitive data,” Waddell added.