The Federal Bureau of Investigation is investigating a cyber attack earlier this year against the U.S. Postal Service that exposed the personal information of every single employee.
Personal information of more than 800,000 postal employees have been exposed, as well as customers who contacted the USPS call center by telephone or email between January and August 16 of this year.
Employee data includes names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information, the Postal Service said on Monday. Exposed call center data included names, e-mail addresses and phone numbers, but not social security numbers. The breach also did not affect credit card data from retail services such as usps.com, Click-N-Ship, the Postal Store, PostalOne!, and change of address services.
“The intrusion is limited in scope and all operations of the Postal Service are functioning normally,” USPS spokesman David Partenheimer said in a statement posted on the USPS site. New security measures and procedures have been put in place.
The “sophisticated actor” behind this attack does not appear to have been interested in identity theft or credit card fraud, Partenheimer said. Even so, employees will receive credit-monitoring services for one year.
There are some reports blaming Chinese actors for the breach against USPS, but there is no clear evidence at the moment indicating who the perpetrators are. A cyber-espionage operation is very likely since the target network contained personnel data, which can be useful for human intelligence or counterintelligence operations. Even so, it’s not clear how useful information about postal employees would be to foreign governments.
“The recent breach at USPS reinforces that data is the new currency and attackers are going after rich veins of private information, whether it’s employee or customer data,” said Eric Chiu, president & co-founder of HyTrust.
The Chinese government has consistently denied it engages in cyber-espionage.
This breach follows the August incident against US Investigations Services, a firm that performs background checks for U.S. government employees. The USIS attack compromised the data of at least 25,000 workers. There was also an attack against the Office of Personnel Management. There is no data available to suggest a relationship between these incidents.
“Unfortunately, this breach is just the latest in a series of incidents that have targeted the US government,” said Dan Waddell, director of government affairs at (ISC)2.
The exposed information could be used in targeted spear-phishing attacks towards USPS employees, which could be used to “extract additional information such as USPS intellectual property, credit card information and other types of sensitive data,” Waddell warned.