The US Postal Service (USPS) has reported a cyber attack which affected both employee and customer data.
In a statement, David Partenheimer from the USPS media relations group said that after it learned of the cyber security intrusion into some of its information systems, it began investigating the incident. “The intrusion is limited in scope and all operations of the Postal Service are functioning normally” he said.
“Information potentially compromised in the incident may include personally identifiable information about employees, including names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, emergency contact information and other information.”
He also confirmed that the intrusion compromised call centre data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or email between January 1st 2014 and August 16th 2014. “This compromised data consists of names, addresses, telephone numbers, email addresses and other information for those customers who may have provided this information.”
He confirmed that Postal Service transactional revenue systems have not been affected by the incident, and there is no evidence that any customer credit card information from retail or online purchases was compromised.
Partenheimer said that the privacy and security of data entrusted to the postal service “is of the utmost importance”, and it has recently implemented additional security measures designed to improve the security of its information systems.
“We know this caused inconvenience to some of our customers and partners, and we apologise for any disruption,” he said.
According to Reuters, the personal information of more than 800,000 employees was compromised in the incident. Partenheimer said the attack was carried out by a “sophisticated actor” not interested in identity theft or credit card fraud.
Chris McIntosh, CEO of ViaSat UK, said: “The USPS attack shows employee data is a lucrative target for cyber attackers, particularly nation states with huge resources at their disposable. A complete approach to securing the entire IT system is needed to combat the threat including the three Ps: people, process and planning.
“Investing thousands of pounds on the shiniest new piece of technology isn’t enough when it’s not used it as part of a joined-up security strategy. Every point of weakness and potential interaction with the outside world needs to be identified, whether it is how passwords are stored; moving data across unsecured lines; remote access points; or even company policy regarding the use of personal devices.”
Eric Chiu, president & co-founder of HyTrust, said: “In many ways, employee data is even more valuable because companies store very sensitive information which can be used to hijack a person’s financial identity.
“Also, given that insider threats are the main cause of breaches today where outside attackers are using phishing and other APTs to steal credentials and gain access to company networks in order to siphon off large amounts of data, companies need to secure systems that contain employee and customer information f
rom these type of threats.”