The United States Postal Service (USPS) has suspended telecommuting for employees while it works to remediate a network intrusion that has exposed data on some 800,000 postal workers and an additional 2.9 million customers.
The virtual private network (VPN) service for postal employees was taken down this weekend and will not be brought back up until a version with more robust security features can be installed, USPS spokesman David Partenheimer said in an emailed comment to Dark Reading.
“As a result, telecommuting has been suspended until further notice,” he said.
A separate FAQ for employees said the VPN was taken down because it was identified as being vulnerable to compromise. The VPN will remain unavailable while modifications are made to bolster its security. “When VPN is available again users will notice changes in functionality,” the FAQ said without offering any specifics. “We will have additional information about VPN in the near future,” it said.
Additionally, the postal service will upgrade some of its equipment and systems in the coming weeks and months as part of a broad security overhaul in response to the breach.
The USPS on Monday disclosed that unknown intruders had broken into its systems and accessed files containing names, Social Security numbers, dates of birth, and other personal data on all active workers and those who retired after May 2012.
Among those affected by the breach are the US Postmaster General, other members of the executive leadership team. and members of the Postal Career Executive Service and Employee Advisory Services, the USPS said in the FAQ.
The intrusion also exposed names, phone numbers, email addresses, and other data belonging to customers who called in or emailed the Postal Service’s call center with an inquiry between January 1, 2014, and August 16, 2014.
The USPS did not release any specifics on the total number of employees or customers impacted in the intrusion. But CNN and other media outlets, quoting unnamed postal sources, pegged the numbers at between 750,000 and 800,000 employees and 2.9 million customers.
The USPS offered no details on how the intrusion might have happened or how it was discovered. However, the methods and locations that were used to access the USPS network have been identified and a plan has been put in place to close those access routes, the FAQ noted.
Some media reports have speculated that the attack might have originated in China. But so far, the USPS has not said who might have responsible for the intrusion or where the attackers might have been based.
The Postal Service has so far not released any information on the system or systems that were illegally accessed. But it has said that there is no evidence so far to show that its transaction systems in post offices as well as on usps.com have been hit. There is no evidence either that customer payment card data from its in-store or online transactions have been impacted, the postal service has said.
Meanwhile, a controversy appears to be brewing over an apparent delay by the USPS in releasing information about the intrusion.
On Monday two lawmakers issued a statement demanding to know why the postal service had waited until this week to release information on the breach, despite knowing about it since September and even briefing Congress about it about two months ago.
“This is a serious security breach that has put the personal information of Americans at risk,” House Oversight and Government Reform Committee chairman Darrell Issa (R-CA) said in a statement also signed by the chairman of the Oversight Committee’s subcommittee on postal service Chairman Blake Farenthold (R-TX).
“The Committee understands the Postal Service has known about this attack since September and presented this information to Congress several weeks ago, but did so as a classified matter,” the statement said. “We have not been told why the agency no longer considers the information classified.”
The statement expressed deep concern over the incident and said the Committee would press the Postal Service for more details on how hackers were able to evade its security controls.
Meanwhile, the American Postal Workers Union, which represents about 200,000 postal workers, filed charges Monday with the National Labor Relations Board protesting what it described as the Postal Service’s failure to disclose the breach sooner. “We are demanding information from the USPS about the extent of the breach -- both known and suspected -- and what postal management knew, when they knew it, and what they did, or failed to do to protect employee information,” APWU president Mark Dimondstein said in a statement.
The USPS data breach is the latest in what has been a remarkable string of major compromises over the past year. Since Target’s breach last fall, numerous business and organizations including Home Depot, JPMorgan, Supervalu, Community Health Systems, UPS Stores, Dairy Queen, and others have announced breaches that cumulatively have exposed data on tens of millions of people. The sudden rash of data breaches has left security experts scrambling to find a reason for what is going on.
Some of the retail breaches at least, appear tied to a data-stealing malware program called Backoff that the US Department of Homeland Security and the US Secret Service had warned about earlier this year. But that does not fully explain the numerous breaches at non-retail organizations this year, including the one at JPMorgan, one of the nation’s largest banks.
What is particularly troubling is the time it appears to be taking organizations to discover an intrusion said Idan Tendler, CEO of security vendor Fortscale.
“We have seen in previous high-profile attacks against large corporations that hackers need only a small window of opportunity to compromise users’ personal and financial information,” Tendler said in an email interview with Dark Reading.
“This latest breach against the Postal Service has the potential to be far more damaging depending on when the hackers first got into the system and the amount of time it took before the breach was discovered,” he said.Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio