United States Postal Service Database Hack Shows Major Security Lax

Brook Zimmatore | November 27, 2014

Earlier in the month, the United States Postal Service admitted taking the assistance of FBI after finding out its staff database was breached and details like Social Security numbers, names, and home addresses of its employees had been stolen.

“The investigation is being led by the Federal Bureau of Investigation and joined by other federal and postal investigatory agencies,” stated USPS.

“Information potentially compromised in the incident may include personally identifiable information about employees, including names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, emergency contact information and other information.”

From the investigation, the organisation pointed out that hackers may have entered the staff database through the payroll department; however no concrete details were given to backup the claim. Another allegation was that perpetrators may have discovered a way to eavesdrop on the company’s call center, which could place customers phoning in with inquiries about delivery or packages and leaving information with customer support at similar risk.

The call center breach took place from January 1 to August 16 of the current year, a period that left potentially thousands (or millions) of people making calls in the path of unidentified cyber criminals.

David Partenheimer, USPS Media Relations manager, confirmed that no financial information stored within the company’s online portal was breached, and that the infiltration seems to be on a ‘personal information only’ criteria.

“Postal Service transactional revenue systems in Post Offices as well as on usps.com where customers pay for services with credit and debit cards have not been affected by this incident,”

“There is no evidence that any customer credit card information from retail or online purchases such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised.”

Though the details of criminals behind the attack remain slim and subject to rampant discussion, the Washington Post said that sources familiar with the investigations think the USPS attackers are working for or working with the Chinese government, and are likely to be the same adversaries who attacked the federal Office of Personnel Management last July, breaching data of up to 5 million government employees and contractors with security clearance information.

Even though Partenheimer said that customers calling in were not affected, it is possible that their email addresses, telephone numbers and other similar information was compromised. Analysts speaking to the Washington Post said it was possible for hackers to be interested in more data, as USPS also keeps images and records of address information on all packages and envelopes sent thorough post, as per the American law enforcement. More details will emerge after FBI finishes exploring the breach. Employees were promised a year of credit monitoring services without charge after the incident.

Tightening security

This particular database breach hints a security lax in one of the major organisations in the US, and the consequences could have been worse if hackers had managed to get away with sensitive customer information.

Organisations like USPS can take these measures to prevent/lessen data breach incidents:

Utilise data breach notifications: Threats can go undetected despite installation of sophisticated security systems. Solutions such as data breach alerts provided by Massive and other similar companies can provide the United States Postal Service instant alerts of compromised databases along with profiles of vulnerable victims (employees or customers). Such technology can also intercept what information is being extracted.

Proactive monitoring: The postal service can monitor database, call and network logs, such as the call center file log systems, as well as integrate processes for detection of infiltration on customer service calls. Monitoring the logs may show signs of eavesdropping.

Colocation: The less information you have stored in a particular database, the less vulnerable your organisation is to theft. Colocation can be used to store employee and customer data in different locations to make your databases look less attractive to hackers.

Data breaches are something all major organisations have to prepare for. However, taking the vital steps can drastically reduce your chances of getting hacked.

CEO / Co-Founder
Brook Zimmatore is the Co-Founder & CEO at Massive.