Data Breaches Go Postal: 800,000 USPS Employees And 2.9m Customers Potentially Affected

Another day, another breach.

This time the victim is the US Postal Service (USPS) which discovered the incursion in mid-September.

This latest breach, which the Washington Post has already speculated may be the work of Chinese government hackers, is believed to have occurred between 1 January and 16 August this year.

In a statement released this morning, USPS said the following personal information, relating to as many as 800,000 current and past employees, may have been compromised:

  • names,
  • dates of birth,
  • Social Security numbers,
  • addresses,
  • beginning and end dates of employment,
  • emergency contact information and other information

Additionally, the Postal Service said up to 2.9 million customers who contacted its call centre between the dates mentioned above may also have had data swiped, including:

  • names,
  • addresses,
  • telephone numbers,
  • email addresses and other information

Talking to the Post, USPS Media Relations Manager David Partenheimer said that whoever was behind the attack appeared to be “a sophisticated actor that appears not to be interested in identity theft or credit card fraud.” As a result, USPS said it doesn’t believe potentially affected customers need to take any action as a result of the breach.

That said, I would caution any USPS customers who may be affected to be on the lookout for phishing emails right now which may leverage their contact information to try and extract more sensitive data from them, such as banking or credit card details.

The Postal Service is offering employees one year of free credit monitoring in the wake of the breach even though Postmaster General Patrick Donahoe revealed that, during months of investigation, the Federal Bureau of Investigation had not seen any evidence of malicious use of employee information.

Instead, it seems, the attacker was purely after data.

James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies told the Post that the USPS would be a logical espionage target for a country such as China as it offered large amounts of data that could be analysed for previously unknown intelligence.

While China may or may not ultimately turn out to be responsible for the incursion, such comments are little more than speculation in my opinion and actual proof seems to be lacking from any of the news reports I’ve seen this morning. Until such time as its involvement is proven (if it ever is), China may rightfully feel a bit miffed at the continued finger pointing considering the number of potential other actors in this scenario.

As for USPS, Partenheimer said,

“We have recently implemented additional security measures designed to improve the security of our information systems, including certain actions this past weekend that caused certain systems to be off-line. We know this caused inconvenience and partners, and we apologize for any disruption.

We began communicating this morning with our employees about this incident [and] apologized to them for it.”

Investigations by the FBI, in conjunction with other federal and postal investigatory agencies, are ongoing.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.

Speak Your Mind