Postal Service Breach Impacts Millions, Shows Failure To Secure Customer Data

Attackers recently penetrated U.S. Postal Service systems, gaining access to databases containing hundreds of thousands of current and former Postal Service employees and nearly 3 million customers.

While the latest incident is another in a long line of security breaches, the attention being paid to securing payment systems may cause organizations to slip when it comes to protecting sensitive customer data, solution providers tell CRN.

In an announcement (.PDF) Monday, the Postal Service said the intrusion into its network of database servers was "limited in scope." Payment information was not compromised in the security lapse, but the Postal Service acknowledged that employee names, dates of birth, Social Security numbers, addresses, and beginning and end dates of employment were compromised as was emergency contact information.

[Related: JPMorgan Chase Breach Could Feed Phishing, But Fraud Unlikely]

Sponsored post

Investigators also determined that attackers compromised a database containing names, addresses, telephone numbers and email addresses of customers who contacted a Postal Service support center line from Jan. 1 2014, to Aug. 16, 2014.

"There is no evidence that any customer credit card information from retail or online purchases such as Click-N-Ship, the Postal Store, PostalOne, change of address or other services was compromised," the Postal Service said in a statement. "We have recently implemented additional security measures designed to improve the security of our information systems, including certain actions this past weekend that caused certain systems to be offline. We know this caused inconvenience to some of our customers and partners, and we apologize for any disruption."

The FBI and other federal and postal investigatory agencies are leading the investigation, according to the statement. Employees are being offered credit monitoring services for one year, the Postal Service said.

The intrusion did not impact payment systems, but the data exposed in the attack could be used to conduct phishing campaigns against people whose data was compromised, solution providers told CRN. Financially motivated attackers will take the stolen data and bundle it based on its value, selling it to other cybercriminals on underground hacking forums, said Jeremy MacBean, director of business development at IT Weapons, a Brampton, Ontario-based solution provider.

"Hackers are often idealized in movies and TV shows where a clever hacker gets into back doors in systems, but the reality is that the people doing this more often than not [are] wrecking people's financial well-being and hurting organizations," MacBean said.

The data is of value to attackers in targeted campaigns or simply to spammers who want to flood email boxes with junk mail, he said.

"The more personal information you have about someone, the easier it is to get into their bank accounts by guessing their login or challenge questions," MacBean said.

NEXT: Risk Assessments Are Key For Organizations

Organizations may be getting executive buy-in to better protect payment systems, but resources need to be allocated following a risk assessment in a systematic way, said Mark Behan, director of the security business unit at Dimension Data. In a recent interview, Behan said organizations must address data protection, network security and security awareness training as some of the essential components making up an effective security program.

"It's a multipronged strategy," Behan said. "It involves much more than buying new security technology to detect threats."

While retail data breaches got the most attention in 2014, solution providers point to other costly data breaches that leaked the personal information of millions of people. In October, JPMorgan Chase revealed that attackers stole the contact information of as many as 7 million businesses and 76 million households from the company's database servers. Earlier this year, tens of thousands of Yahoo and AOL webmail users had their accounts hijacked when attackers probed a list of user names and passwords compromised from a third-party database. The attacks led to spoofed emails and fed phishing campaigns against people in the victims' contact lists.

Breaches can be the result of an employee mistake or a malicious insider. A former financial adviser at Variable Annuity Life Insurance Company allegedly stole a thumb drive containing data on more than 774,000 people that participate in the firm's insurance programs. Software security errors are also to blame, say solution providers. A Web application security lapse at Herndon, Va.-based enterprise software maker Deltek exposed the account credentials of 80,000 employees of federal contractors. Meanwhile, databases are frequently probed by hackers resulting in exposed data. At least five high-profile university data breaches have resulted of the theft or loss of information on nearly 900,000 people in 2014.