Sophos Cloud Optix
The United States Postal Service on Monday warned workers that their data had been compromised.
The breach affects not only letter carriers who walk their delivery routes and those who work in the inspector general’s office but also the postmaster general himself.
The Washington Post spoke to unnamed officials who said that the attack had actually been discovered in mid-September.
The USPS briefed Congress about the attacks in two classified meetings, on 22 October and 7 November. It made the intrusions public on Monday.
In its public statement, the USPS said that in addition to employee details, information about customers who called or emailed the agency’s Customer Care Center between 1 January and 16 August this year was also compromised.
The stolen customer information includes names, email addresses and phone numbers.
The exposed employee data may include names, dates of birth, Social Security numbers, addresses, dates of employment and more, officials said.
The total number of affected people isn’t clear, although the Washington Post reported that every USPS employee’s information was exposed. The service employs over 800,000 people.
Postal Service spokesman David Partenheimer told the AP that customers at local post offices or those using its website, usps.com, weren’t affected.
That means that the breach doesn’t involve customer credit card information from post offices or online purchases at usps.com.
The attacks happened in mid-September, Partenheimer said.
The Washington Post’s sources said that the attack was carried out by “a sophisticated actor” who was not, apparently, interested in identity theft or credit card fraud.
But, just in case, FBI spokesman Joshua Campbell said any suspected instances of identity theft should be reported to the FBI’s Internet Crime Complaint Center.
At any rate, Postmaster General Patrick Donahoe said in a statement that so far, the USPS hasn’t seen any fraud connected to the compromised data:
It is an unfortunate fact of life these days that every organization connected to the internet is a constant target for cyber intrusion activity. The United States Postal Service is no different.
Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data.
The FBI is leading an investigation into the attack.
Image of binary and USPS trucks courtesy of Shutterstock.
Bad week in cybersecurity: darkhotel, uspostal, lot of 0 zays…
Not only do they deliver junk mail and throw important mail in the garbage because the carriers are tired, they have my credit card info for my post office box. I think the real criminals are the US Postal Service. They need better security….perhaps Sophos can come up with a plan for them.
Hacks are always bad, but this one gave me an idea:
What if companies who discover a breach, instead of going public immediately, delay for a random amount of time. Instead of fixing the breach, duplicate the hacked servers, and then feed the hacked databases false information, to cover up/replace the previously accurate information.
There are a lot of logistical problems I can think of, but doing this might prevent the hackers from being able to use the information they so carefully collected, depending on when they harvested it. And, they would never know when the false data began flowing into their coffers.
Though, they’d still be able to use the initial data they collected. It’s just a matter of verifying what is accurate – which they would have to do either way. i.e. matching up name/address data with public listings, such as white pages information.
True. But, if the hackers keep only the latest info (on the assumption that they really want the latest data), then this would make said data useless.
On the other hand, it wouldn’t take them long to figure out that a company is using this, and start saving both old and new data.
Oh, well.
I see that numerous people have given me a thumbs down. I happen to be angry at the US Postal service. I have called them in the past regarding a priority mail letter that was supposed to be delivered to someone. I had the tracking number but it was not delivered. When I called the post office in that location I was told that the mailbox was full (which it wasn’t) and the party had to go to the post office to pick it up. That is why I feel that some letter carrier’s are lazy.
As for the hackers, it really depends on how they go about the process. No matter how secure we think we are there is always the risk of being hacked. It could have been an inside job from a disgruntled employee that paid someone off in order to get the information. Who knows?