USPS Defends Breach Notification Delay
Lawmaker Accuses Postal Service of Acting in Own Self-InterestTestifying at a House hearing, a United States Postal Service official defended the delay in notifying USPS workers of a breach that exposed employees' Social Security numbers, contending authorities didn't initially know what data was pilfered. The official, Randy Miskanic, also said the government didn't want to tip off hackers that it was aware of the breach.
See Also: Gartner Market Guide for DFIR Retainer Services
Still, Rep. Stephen Lynch, the ranking member of the House Oversight and Government Reform Subcommittee on Federal Workforce, U.S. Postal Service and the Census, criticized the USPS for the breach notification delay. The Massachusetts Democrat said that the exposure of the personally identifiable information posed such a great risk to employees' identities that notification should have occurred as soon as the Postal Service became aware of the breach.
The Nov. 19 hearing explored the breach in which the PII of some 800,000 USPS workers was exposed. The breach also exposed 2.9 million customer complaint files containing contact information, officials revealed at the hearing. The USPS first learned of the breach on Sept. 11 but didn't notify employees until Nov. 10.
Miskanic, USPS vice president for secure digital solutions, gave three reasons why the Postal Service delayed going public with the breach, including notifying employees:
- Authorities didn't want to alert the attackers - which he characterized as sophisticated - that they were aware of the breach;
- The Postal Service didn't definitively know what data was pilfered until Nov. 4, when USPS investors confirmed that employee PII was copied and stolen; and
- USPS needed time to establish an incident response process to answer workers', customers' and business partners' questions regarding the impact of the breach. "Prematurely announcing the intrusions before these important facts were discovered would have undoubtedly led to a great deal of frustration and confusion," he said.
Remaining Mum
On the advice of the director of the United States Computer Emergency Response Team, the Department of Homeland Security unit that helps federal agencies respond to and mitigate breaches, the Postal Service decided not to publicize the breach, Miskanic said.
"If provided advance warning of network actions intended to expel and block the intruder from the Postal Service network, the adversary could take bolder steps to further infiltrate or sabotage systems," he said. "This valid threat of additional potential damage to the Postal Service and victims was deemed sufficient basis to delay notification and public announcement until after short-term remediation was accomplished."
Miskanic testified that the USPS had an inkling of what was stolen on Oct. 16, when agents of the independent Postal Service Office of Inspector General notified the postmaster general of the suspected contents of an exfiltrated file. "The investigators cautioned, however, that further extensive and complex forensic analysis was necessary to determine if the file actually contained PII," he said.
In fact, he said, investigators are continuing to conduct forensic analysis of the breached servers, including those that contain worker compensation files. "We are additionally aware of a possible compromise of injury compensation claims data that we are still investigating," he said.
Employees at Risk
His testimony didn't mollify Lynch, who accused Miskanic and his USPS colleagues of delaying notification based on their own self-interests.
"The 'Secret Squirrel' stuff, you know, that we have to figure out how sophisticated these people were and what information they got, that doesn't fly," Lynch said, referring to the mid-1960's cartoon series that parodied the spy genre. "This is very, very important information; these people [Postal Service employees] are at risk. The employee unions who represent these people got zero notice."
The American Postal Workers Union, which represents about 200,000 postal employees, earlier this month filed a complaint with the National Labor Relations Board, accusing the Postal Service of not informing workers of the breach in a timely manner and not negotiating the terms of credit monitoring services and identity theft protections (see Was VPN Used to Hack Postal Service?). The Postal Service is paying for one year's worth of credit monitoring for employees affected by the breach.
"If people like yourself and your agency are going to decide when it's good for you to let people know that their Social Security numbers are stolen, when you're good and ready, that's not good enough," Lynch said. You have to be more forthcoming with people that you're supposed to be protecting."
During his testimony, Miskanic declined to say whether the USPS knew who hacked the system, suggesting that whatever knowledge the USPS has about the assailant should be revealed in a secret session. Earlier this month, several media outlets reported that the Chinese were behind the breach.
Breach Details
In his written testimony, Miskanic provided details about the breach and how the Postal Service responded, including:
- Days after being notified of the breach on Sept. 11, the IG advised the USPS corporate information security officer that the investigation should remain confidential, warning that acting independent of U.S.-CERT and the FBI would likely adversely affect the Postal Service's overall IT security posture.
- From Sept. 19 through Oct. 2, IG agents and postal inspectors configured and installed the technical architecture and tools necessary to identify any affected servers and workstations on the Postal Service network.
- Investigators discovered on Oct. 7 that a large data file had been copied and removed from the USPS network. The file was encrypted, limiting the ability of the investigative team to identify the data it contained. Officials suspect that the file was copied to another server outside of the USPS network that was being controlled by an adversary.
- On Oct. 15, after a forensic examination, IG investigators and postal inspectors surmised the pilfered data was contained in a Postal Service Human Resources file that included employee PII.
- From Oct. 26 through Oct. 28, the forensically recovered employee PII from the compromised server was reconstructed and shared with the Postal Service chief human resources officer.
- On Oct. 31, investigators identified a database backup file on a compromised server, which was determined to be related to an application used for receiving, processing and managing customer service requests. The database backup file was located on a compromised server that contained 2.9 million customer complaints. The compromised customer data was limited to name, address, phone and e-mail address information.
- Four days later, USPS confirmed that employee PII was copied and stolen from the Postal Service network. The pilfered information included employees' names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contacts.
- On Nov. 7, the Postal Service CIO activated a remediation plan developed with U.S.-CERT guidance and supported by external cybersecurity experts. Implementing elements of the remediation plan required a network brownout that occurred on Nov. 8 and 9, which limited communications between the Postal Service network and the Internet. Sending and receiving e-mail messages between Postal Service e-mail accounts were allowed during the brownout, but transmitting e-mail messages externally was blocked.
- USPS blocked - and continues to block - employees' access to e-mail sites such as Gmail and Yahoo to reduce the likelihood of phishing and spear-phishing attacks.
CERT Assessment
The Carnegie Mellon University CERT Coordination Center, which assessed the compromised USPS system at the Postal Service's request, found that the Postal Service had solid policies for information security, Miskanic testified. But the study revealed that various business units didn't always follow the policies. The CERT analysis also found that critical systems could be protected by better segregation from the general IT user system.
Miskanic pledged USPS will take steps to prevent breaches. "No company or organization connected to the Internet is immune from the type of malicious cyber-activity that the Postal Service experienced," he said. "We take such threats seriously and regularly take action to protect our networks, our customers' data and our employees' information.
"As a result of this incident, we have significantly strengthened our systems against future cyber-intrusions. We will continue taking all necessary steps to guard our systems from attacks and to ensure the safety and privacy of our employees and customers."