Attacks/Breaches
11/11/2014
12:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US Postal Service Suspends Telecommuting Following Massive Data Breach

Employee VPN taken down -- will not be restored until more secure version can be installed, Postal Service says after breach exposes data on 800,000 employees and 2.9 million customers.

The United States Postal Service (USPS) has suspended telecommuting for employees while it works to remediate a network intrusion that has exposed data on some 800,000 postal workers and an additional 2.9 million customers.

The virtual private network (VPN) service for postal employees was taken down this weekend and will not be brought back up until a version with more robust security features can be installed, USPS spokesman David Partenheimer said in an emailed comment to Dark Reading.

“As a result, telecommuting has been suspended until further notice,” he said.

A separate FAQ for employees said the VPN was taken down because it was identified as being vulnerable to compromise. The VPN will remain unavailable while modifications are made to bolster its security. “When VPN is available again users will notice changes in functionality,” the FAQ said without offering any specifics. “We will have additional information about VPN in the near future,” it said.

Additionally, the postal service will upgrade some of its equipment and systems in the coming weeks and months as part of a broad security overhaul in response to the breach.

The USPS on Monday disclosed that unknown intruders had broken into its systems and accessed files containing names, Social Security numbers, dates of birth, and other personal data on all active workers and those who retired after May 2012.

Among those affected by the breach are the US Postmaster General, other members of the executive leadership team. and members of the Postal Career Executive Service and Employee Advisory Services, the USPS said in the FAQ.

The intrusion also exposed names, phone numbers, email addresses, and other data belonging to customers who called in or emailed the Postal Service’s call center with an inquiry between January 1, 2014, and August 16, 2014.

The USPS did not release any specifics on the total number of employees or customers impacted in the intrusion. But CNN and other media outlets, quoting unnamed postal sources, pegged the numbers at between 750,000 and 800,000 employees and 2.9 million customers.

The USPS offered no details on how the intrusion might have happened or how it was discovered. However, the methods and locations that were used to access the USPS network have been identified and a plan has been put in place to close those access routes, the FAQ noted.

Some media reports have speculated that the attack might have originated in China. But so far, the USPS has not said who might have responsible for the intrusion or where the attackers might have been based.

The Postal Service has so far not released any information on the system or systems that were illegally accessed. But it has said that there is no evidence so far to show that its transaction systems in post offices as well as on usps.com have been hit. There is no evidence either that customer payment card data from its in-store or online transactions have been impacted, the postal service has said.

Disclosure delay
Meanwhile, a controversy appears to be brewing over an apparent delay by the USPS in releasing information about the intrusion.

On Monday two lawmakers issued a statement demanding to know why the postal service had waited until this week to release information on the breach, despite knowing about it since September and even briefing Congress about it about two months ago.

“This is a serious security breach that has put the personal information of Americans at risk,” House Oversight and Government Reform Committee chairman Darrell Issa (R-CA) said in a statement also signed by the chairman of the Oversight Committee’s subcommittee on postal service Chairman Blake Farenthold (R-TX).

“The Committee understands the Postal Service has known about this attack since September and presented this information to Congress several weeks ago, but did so as a classified matter,” the statement said. “We have not been told why the agency no longer considers the information classified.”

The statement expressed deep concern over the incident and said the Committee would press the Postal Service for more details on how hackers were able to evade its security controls.

Meanwhile, the American Postal Workers Union, which represents about 200,000 postal workers, filed charges Monday with the National Labor Relations Board protesting what it described as the Postal Service’s failure to disclose the breach sooner. “We are demanding information from the USPS about the extent of the breach -- both known and suspected -- and what postal management knew, when they knew it, and what they did, or failed to do to protect employee information,” APWU president Mark Dimondstein said in a statement.

The USPS data breach is the latest in what has been a remarkable string of major compromises over the past year. Since Target’s breach last fall, numerous business and organizations including Home Depot, JPMorgan, Supervalu, Community Health Systems, UPS Stores, Dairy Queen, and others have announced breaches that cumulatively have exposed data on tens of millions of people. The sudden rash of data breaches has left security experts scrambling to find a reason for what is going on.

Some of the retail breaches at least, appear tied to a data-stealing malware program called Backoff that the US Department of Homeland Security and the US Secret Service had warned about earlier this year. But that does not fully explain the numerous breaches at non-retail organizations this year, including the one at JPMorgan, one of the nation’s largest banks.

What is particularly troubling is the time it appears to be taking organizations to discover an intrusion said Idan Tendler, CEO of security vendor Fortscale.

“We have seen in previous high-profile attacks against large corporations that hackers need only a small window of opportunity to compromise users’ personal and financial information,” Tendler said in an email interview with Dark Reading.

“This latest breach against the Postal Service has the potential to be far more damaging depending on when the hackers first got into the system and the amount of time it took before the breach was discovered,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
skandragon
100%
0%
skandragon,
User Rank: Apprentice
11/13/2014 | 12:48:24 PM
They leaked my email address a long time ago...
I give every company or entity I work with a new, unique-to-them address.  Somehow, Home Depot managed to get the one I gave only to the USPS.  This happend first on Oct 3rd, where Home Depot contacted me on that USPS-specific address.

USPS told me at the time they did not have a breach, nor did they sell or rent addresses.  Home depot says they don't buy them.  I am pretty sure both are lying.  When they cannot tell the truth even after the facts are known, what's the point in a privacy policy or a statement about how they use email addresses at all?
savoiadilucania
100%
0%
savoiadilucania,
User Rank: Moderator
11/12/2014 | 1:40:30 PM
Fascinating
"The intrusion is limited in scope and all operations of the Postal Service are functioning normally."

In my experience this does not align with a decision to take down full VPN access. This sounds like something persistent and pervasive...
jastroff
50%
50%
jastroff,
User Rank: Strategist
11/12/2014 | 11:01:03 AM
Re: Timing
Agree that notification is a difficultly timed business. But I didn't even see this on the news (doesn't mean it wasn't there, but it didn't make the splash that let's say Target of Home Depot did) -- it seems well hidden for such an important breach, and the issues the USPS had
Bprince
50%
50%
Bprince,
User Rank: Ninja
11/12/2014 | 8:28:12 AM
Timing
Notification of breaches can be tricky. If you come out too soon, you may not have all the facts. Wait too long, and you may impair the ability of people to protect themselves from fraud. I think the USPS needs to explain the delay. 

BP
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.