12:10 PM
Connect Directly

US Postal Service Suspends Telecommuting Following Massive Data Breach

Employee VPN taken down -- will not be restored until more secure version can be installed, Postal Service says after breach exposes data on 800,000 employees and 2.9 million customers.

The United States Postal Service (USPS) has suspended telecommuting for employees while it works to remediate a network intrusion that has exposed data on some 800,000 postal workers and an additional 2.9 million customers.

The virtual private network (VPN) service for postal employees was taken down this weekend and will not be brought back up until a version with more robust security features can be installed, USPS spokesman David Partenheimer said in an emailed comment to Dark Reading.

“As a result, telecommuting has been suspended until further notice,” he said.

A separate FAQ for employees said the VPN was taken down because it was identified as being vulnerable to compromise. The VPN will remain unavailable while modifications are made to bolster its security. “When VPN is available again users will notice changes in functionality,” the FAQ said without offering any specifics. “We will have additional information about VPN in the near future,” it said.

Additionally, the postal service will upgrade some of its equipment and systems in the coming weeks and months as part of a broad security overhaul in response to the breach.

The USPS on Monday disclosed that unknown intruders had broken into its systems and accessed files containing names, Social Security numbers, dates of birth, and other personal data on all active workers and those who retired after May 2012.

Among those affected by the breach are the US Postmaster General, other members of the executive leadership team. and members of the Postal Career Executive Service and Employee Advisory Services, the USPS said in the FAQ.

The intrusion also exposed names, phone numbers, email addresses, and other data belonging to customers who called in or emailed the Postal Service’s call center with an inquiry between January 1, 2014, and August 16, 2014.

The USPS did not release any specifics on the total number of employees or customers impacted in the intrusion. But CNN and other media outlets, quoting unnamed postal sources, pegged the numbers at between 750,000 and 800,000 employees and 2.9 million customers.

The USPS offered no details on how the intrusion might have happened or how it was discovered. However, the methods and locations that were used to access the USPS network have been identified and a plan has been put in place to close those access routes, the FAQ noted.

Some media reports have speculated that the attack might have originated in China. But so far, the USPS has not said who might have responsible for the intrusion or where the attackers might have been based.

The Postal Service has so far not released any information on the system or systems that were illegally accessed. But it has said that there is no evidence so far to show that its transaction systems in post offices as well as on have been hit. There is no evidence either that customer payment card data from its in-store or online transactions have been impacted, the postal service has said.

Disclosure delay
Meanwhile, a controversy appears to be brewing over an apparent delay by the USPS in releasing information about the intrusion.

On Monday two lawmakers issued a statement demanding to know why the postal service had waited until this week to release information on the breach, despite knowing about it since September and even briefing Congress about it about two months ago.

“This is a serious security breach that has put the personal information of Americans at risk,” House Oversight and Government Reform Committee chairman Darrell Issa (R-CA) said in a statement also signed by the chairman of the Oversight Committee’s subcommittee on postal service Chairman Blake Farenthold (R-TX).

“The Committee understands the Postal Service has known about this attack since September and presented this information to Congress several weeks ago, but did so as a classified matter,” the statement said. “We have not been told why the agency no longer considers the information classified.”

The statement expressed deep concern over the incident and said the Committee would press the Postal Service for more details on how hackers were able to evade its security controls.

Meanwhile, the American Postal Workers Union, which represents about 200,000 postal workers, filed charges Monday with the National Labor Relations Board protesting what it described as the Postal Service’s failure to disclose the breach sooner. “We are demanding information from the USPS about the extent of the breach -- both known and suspected -- and what postal management knew, when they knew it, and what they did, or failed to do to protect employee information,” APWU president Mark Dimondstein said in a statement.

The USPS data breach is the latest in what has been a remarkable string of major compromises over the past year. Since Target’s breach last fall, numerous business and organizations including Home Depot, JPMorgan, Supervalu, Community Health Systems, UPS Stores, Dairy Queen, and others have announced breaches that cumulatively have exposed data on tens of millions of people. The sudden rash of data breaches has left security experts scrambling to find a reason for what is going on.

Some of the retail breaches at least, appear tied to a data-stealing malware program called Backoff that the US Department of Homeland Security and the US Secret Service had warned about earlier this year. But that does not fully explain the numerous breaches at non-retail organizations this year, including the one at JPMorgan, one of the nation’s largest banks.

What is particularly troubling is the time it appears to be taking organizations to discover an intrusion said Idan Tendler, CEO of security vendor Fortscale.

“We have seen in previous high-profile attacks against large corporations that hackers need only a small window of opportunity to compromise users’ personal and financial information,” Tendler said in an email interview with Dark Reading.

“This latest breach against the Postal Service has the potential to be far more damaging depending on when the hackers first got into the system and the amount of time it took before the breach was discovered,” he said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/13/2014 | 12:48:24 PM
They leaked my email address a long time ago...
I give every company or entity I work with a new, unique-to-them address.  Somehow, Home Depot managed to get the one I gave only to the USPS.  This happend first on Oct 3rd, where Home Depot contacted me on that USPS-specific address.

USPS told me at the time they did not have a breach, nor did they sell or rent addresses.  Home depot says they don't buy them.  I am pretty sure both are lying.  When they cannot tell the truth even after the facts are known, what's the point in a privacy policy or a statement about how they use email addresses at all?
User Rank: Moderator
11/12/2014 | 1:40:30 PM
"The intrusion is limited in scope and all operations of the Postal Service are functioning normally."

In my experience this does not align with a decision to take down full VPN access. This sounds like something persistent and pervasive...
User Rank: Strategist
11/12/2014 | 11:01:03 AM
Re: Timing
Agree that notification is a difficultly timed business. But I didn't even see this on the news (doesn't mean it wasn't there, but it didn't make the splash that let's say Target of Home Depot did) -- it seems well hidden for such an important breach, and the issues the USPS had
User Rank: Ninja
11/12/2014 | 8:28:12 AM
Notification of breaches can be tricky. If you come out too soon, you may not have all the facts. Wait too long, and you may impair the ability of people to protect themselves from fraud. I think the USPS needs to explain the delay. 

Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.