Breach Delays USPS Financial ReportPostal Service Checking Integrity of Data
Breaches continue to plague the regular operations of victimized organizations. Take, for instance, the U.S. Postal Service, which last week filed papers with regulators explaining why a cyber-intrusion has forced it to delay the it to delay the filing of its annual financial report.
On Nov. 10, the Postal Service said it had recently become aware of a "cybersecurity intrusion" that exposed the personal information of more than 800,000 current and former employees (see U.S. Postal Service Confirms Data Breach).The breach also exposed 2.9 million customer complaint files containing contact information (see U.S. Postal Service Breach: A Time Line).
In the Nov. 28 filing with postal regulators, General Counsel Thomas Marshall said the Postal Service is delaying the filing of its fiscal 2014 financial report until it can confirm that the breach didn't compromise financial information.
"The Postal Service does not believe that the cyber-intrusion or the costs of responding to it will have a material impact on its internal financial controls, results of operations or financial condition," Marshall said. "Nevertheless, in an abundance of caution, the Postal Service requires additional time to file the annual report on Form 10-K to conduct an additional audit in order to ensure that the cyber intrusion did not compromise financial data systems and information."
Marshall said the Postal Service is employing an extensive process to ensure that the integrity of its financial data systems and financial information was not compromised. "These efforts have caused a delay in obtaining all of the information required for the annual report," he said.
Allan Friedman, a research scientist at George Washington University's Cybersecurity Policy Research Institute, says the likelihood that a hacker meddled with the financial data is remote and believes the Postal Service is being overcautious in not filing its annual report on time.
"It's very strange to imagine that they were so unaware of their system that they believe the integrity of the financial data was corrupted," Friedman says. "It's not a good sign from a security perspective. This shows a profound, jaw-dropping [lack of] situational awareness of their IT system."
Net Loss Revealed
Despite the delay in the official financial report, USPS "in the interest of transparency" presented unaudited financial results for the year, which disclosed a net loss $5.5 billion.
The Postal Service says it's closely working with the FBI, Justice Department, USPS Office of Inspector General, Postal Inspection Service and the U.S. Computer Emergency Readiness Team to investigate and remediate the breach. The USPS has retained the services of private companies with expertise in forensics and data systems to better understand the full implications of the intrusion.
Details on how the breach occurred have yet to become public. A USPS spokesman said the Postal Service shuttered its virtual private network used by remote workers around the same time the Postal Service acknowledged the breach (see Was VPN User to Hack Postal Service?). An analysis of public information about the incident does not rule out the possibility that the intruder gained access to Postal Service computers over the VPN.