Wednesday, November 12, 2014

BREACH: USPS (Updated 11-11-2014 4:22PM EST)

USPS is reporting that employee data and now customer data, has been compromised. 

Major news articles started reporting on the issue earlier this morning. It appears as though over 500,000 employees may be affected. We are working to find out if this includes contractor information or is limited to actual USPS employees.

Update @16:22 ET 11-11-2014
VulnerableDisclosures received information indicating that the VPN services for USPS have been taken offline and it is believed to be the attack vector that allowed hackers into the USPS network. 

Update @21:02 ET, 2014
Additional information is now indicating that the actual number may be higher than the original report of 3 million. We are monitoring the situation. 

Update @15:19 ET, 2014

In a report by CNN, it now appears that the information of 2.9 million Postal Service customers may have been compromised as well.


Update @14:29 ET, 2014

It appears that the US Congressional Committee on Oversight and Government reform is paying close attention to this breach.

Earlier this morning, the ranking minority member, the Honorable Elijah E. Cummings, sent an email to the USPS Postmaster General/CEO, Mr. Patrick R. Donahoe requesting additional information regarding the breach be provided to the committee.

It appears that this breach may have been discovered in early-to-mid October 2014 whereupon Postal Service officials provided fulsome briefings to this same committee.

Webster's Dictionary notes that "fulsome" is an adjective meaning "of large size or quantity; generous or abundant", as in "a fulsome harvest".

This begs the question "How long did the actors have access to USPS information systems which would allow them " a fulsome harvest" ??

One of the requests made in this letter to USPS Postmaster General Donahoe was that [the USPS] provide "the findings from forensic investigative analyses or reports concerning the breaches, including findings about vulnerabilities to malware, the use of data segmentation to protect PII (Personally Identifiable Information) and why the breach went undetected for the length of time it did...."

We will update this threat as additional information becomes known.

As of 10:00ET, Nov 11th, 2014
Hackers have breached US Postal Service networks, leading to a significant data breach.
The US Postal Service said on Monday the break-in was discovered in mid-September, according to the Washington Post. Although officials are said to have declined to comment on who they thought was responsible, hackers associated with the Chinese government are thought to be high on the list.

Data of more than 800,000 employees has been compromised. That data includes names, dates of birth, Social Security numbers, and addresses were taken in the attack.
No customer data was taken, the US Postal Service said.

According to a USPS spokesperson who spoke to the Post, the attack was led by a "sophisticated actor that appears not to be interested in identity theft or credit card fraud."
That points the finger at a state actor rather than a lone-wolf or hacker group interested in financial gains.

It comes as President Obama meets with his Chinese premier counterpart, President Xi Jinping, for discussions into cybersecurity, among other things.

China has over the years consistently denied it has attacked US networks. When the Edward Snowden revelations landed in mid-2013, it gave Beijing an advantage to defend itself, in the wake of the disclosure of the US government's massive global surveillance operations.
As employees were notified on Monday, the FBI continues to lead the investigation into the US Postal Service data breach.

No comments:

Post a Comment