Hackers have broken into some of the Postal Service’s information systems. They may have stolen sensitive data on more than 800,000 postal employees, including those who left the agency within the past two years.
“This incident impacts every employee in the organization, including me,” said Postmaster General Pat Donahoe in a video message to staff. “On a personal note, I’d like to say how bad I feel that the whole organization has been victimized. The Postal Service has put a lot of effort over the years to protect our computer system and the bad guys have not been successful until now.”
Employees of the Postal Regulatory Commission and the inspector general’s office are also affected, according to agency spokesman David Partenheimer.
The information suspected of being compromised includes their names, Social Security numbers, addresses and emergency contacts. There is no evidence that the hackers have used the data maliciously, Donahoe said.
The size of the breach dwarfs one that left 25,000 Homeland Security Department employees at risk of identity theft in August, when hackers broke into the network of security contractor USIS. More than 50,000 Energy Department employees were affected by a similar breach on its networks last year.
Employees learned this morning of the cyber breach, although it was first reported to the Postal Service inspector general in September. The Postal Service twice has briefed Congress on the attack, once in October and once last week, according to a letter to Donahoe from Rep. Elijah Cummings (D-Md.), the top Democrat on the House Oversight Committee. Two Republicans on the committee, Chairman Darrell Issa (R-Calif.) and Rep. Blake Farenthold (R-Texas) released a statement questioning why the agency had kept employees in the dark for so long and why the Postal Service thought it was now safe to reveal the breach.
In his video, Donahoe said a multi-agency investigation led by the FBI has precluded the agency from revealing the breach to employees until now. In their statement, Issa and Farenthold suggest the Postal Service is attributing the attack to the Chinese government, but the agency says it is not commenting on the source of the intrusion. That, and the exact timing of the breach, remain under investigation.
In the video, Donahoe also apologized to employees. He said the Postal Service would pay for credit monitoring services and answer employees’ questions through a service line.
The hackers are thought to also have accessed sensitive data of customers who called the Postal Service Customer Care Center between Jan. 1 and Aug. 16 of this year. The data includes their names, addresses and other personal information. Those customers do not have to do anything right now, however, Partenheimer said.
There are no signs that hackers accessed customers’ payment information entered either online or used at post offices.
“Regarding customer data, let me be clear; based on the current investigation, Postal Service transactional revenue systems in Post Offices as well as on usps.com where customers pay for services with credit and debit cards have not been affected by this incident,” said Donahoe. “As a result of this incident, we have significantly strengthened our systems against future attacks.”
The Postal Service has brought in outside security experts to figure out what happened and improve network security, he said. It took some of its computer networks offline this weekend so it could bolster cybersecurity protections. It soon will roll out new security measures, policies and procedures.
More information about the breach would be helpful to Congress, as it examines federal cybersecurity laws, Cummings wrote to Donahoe. The congressman called for more collaboration between the government and private sector in thwarting cyberattacks, noting that Home Depot, Target and other major retailers have also been victims of recent cyber breaches. Hackers have compromised more than 500 million commercial records in the first half of this year, according to Forrester Research.