The US Postal Service (USPS) has revealed its systems have been hacked and personally identifiable data related to employees and customers exposed.
Media relations manager, David Partenheimer, explained in a lengthy statement and FAQ that the information associated with employees “may include” names, dates of birth, Social Security numbers, addresses, employment dates, emergency contact details and more.
The cyber-intrusion also compromised details related to customers who called in to the USPS call center between 1 January and 16 August. This included names, addresses, telephone numbers, email addresses and “other information for those customers who may have provided this information.”
However, no customer credit card information was taken and USPS is claiming that affected customers need not take action as a result of the breach.
“We have recently implemented additional security measures designed to improve the security of our information systems, including certain actions this past weekend that caused certain systems to be off-line,” the statement continued.
“We began communicating this morning with our employees about this incident, apologized to them for it, and have let them know that we will be providing them with credit monitoring services for one year at no charge to them. Employees also have the personalized assistance available to them provided by the Human Resources Shared Services Center.”
The FBI is currently investigating the incursion, which the USPS was at pains to point out is “limited in scope.”
However, security experts have warned that it shows all the hallmarks of a fairly sophisticated actor which was interested not in identity theft or card fraud but potentially in collecting data for future targeted attacks.
Greg Kazmierczak, CTO of data protection firm Wave Systems, argued that “the interest here lies in the background information of any Federal US employee.”
“This breach is about general purpose knowledge and not so much about individuals,” he added.
“The USPS breach is consistent with the attacks that China has been launching, seeking out intellectual property from various agencies within the government.”
However, not all agreed.
Imperva CTO, Amichai Shulman, argued that this breach is not consistent with the more sophisticated, persistent APT-style campaigns waged by Chinese state-backed actors in the past.
“The recent attacks suggest a different pattern. Most of them are far less sophisticated (although none of the affected organizations would dare to admit that), persisted for short periods of time and targeted data that can be easily monetized by criminals rather than governments,” he claimed.
“It sounds to me like criminal organizations are getting more involved in this rather than governments.”
Chris McIntosh, CEO of security and comms firm ViaSat UK explained that mitigating the risk of data breaches comes down to people, process and planning as part of a joined-up security strategy.
“Every point of weakness and potential interaction with the outside world needs to be identified, whether it is how passwords are stored; moving data across unsecured lines; remote access points; or even company policy regarding the use of personal devices,” he added.
“If you think of your IT system as Fort Knox, targeted attackers are not going to focus on the front gate, they will go for weak points in the structure, or tunnel in, or disguise themselves as the US army, or simply bribe the guards. In short, they will home in on any point of weakness.”