Hackers siphoned off data from United States Postal Service servers for more than eight months before being detected, the USPS said.
Personal data — including names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, and emergency contact information — was stolen.
“More than 800,000 employees and some retirees are impacted … all that receive a Postal Service paycheck,” USPS spokesperson David Partenheimer told TechNewsWorld. That includes the Postmaster General.
Nearly 3 million customers’ data also was stolen, CNN reported, but Partenheimer could not confirm that figure.
The postal customers affected reportedly are those who made contact with the USPS Customer Care Center via phone or email between Jan. 1 and Aug. 16.
“The size and richness of the list provides a valuable [resource] for spammers and criminals alike,” Philip Lieberman, president of Lieberman Software, told TechNewsWorld.
There so far has been no indication that any of the compromised information has been exploited, he said.
The Impact of the Hack
The USPS is investigating the breach, together with the FBI and other federal law enforcement agencies.
It held confidential briefings for the U.S. House of Representatives Committee on Oversight and Government Reform in late October and again this week, which triggered a demand for further information from committee ranking member Rep. Elijah Cummings, D-Md.
Over the weekend, USPS performed maintenance on and upgraded its computer and information systems, taking some offline temporarily.
“We couldn’t announce the cyberincident until today because of the possible compromise of the remediation efforts, which may have resulted in more data being compromised,” Partenheimer remarked.
The Long and Winding Hack
The postal service first was alerted to possible suspicious activity to its information systems in mid-September, Partenheimer said, and it “immediately began an investigation and action plan.”
“Identifying the full scope of a compromise is an incredible challenge, as it can take months to get systems back into a trusted state and ensure the full compromise is contained,” Ken Westin, a security analyst at Tripwire, told TechNewsWorld.
The USPS IT systems continue to be at risk.
Analyzing data collected over five months from more than 100,000 hosts, Vectra Networks found, in essence, that further attacks can be expected.
“The attackers will continue to perform internal reconnaissance to build a map of the network and spread laterally within the USPS network to identify other crown jewels worth stealing,” Oliver Tavakoli, Vectra’s CTO, told TechNewsWorld.
It’s possible that the malware might remain concealed in parts of the network until the investigation is concluded and then strike again.
“There could be booby traps all over their infrastructure,” suggested Jonathan Sander, strategy and research officer at Stealthbits Technologies. If the hackers have come up with truly novel angles of attack on surface areas not previously considered, finding the traps will be very difficult.
Whodunit and Why?
There’s speculation that China may have been behind the attacks, but “there is nothing inherently valuable for a nation-state in particular,” Lieberman said.
In any event, identifying the attacker is not relevant to detecting the attack, Tavakoli pointed out.
The USPS breach further indicates that data is the new currency, and attackers “are going after rich veins of private information, whether it’s employee or customer data,” Eric Chiu, president and cofounder of HyTrust, told TechNewsWorld. Employee data is the more valuable, because the data stored can be used to hijack victims’ financial identities.
The USPS will provide employees with credit monitoring services for one year free of charge.
Self-Protection for Consumers
Nearly 50 percent of 1,000 U.S. participants in a joint RSA-Ponemon Institute survey reported being victimized by a data breach. Yet 45 percent did not change their behavior when using credit and debit cards, and 69 percent said they used the same password for more than one device or website.
Among other things, consumers should change their passwords regularly. They also should monitor their credit and debit card transactions and question any anomaly, no matter how small.