China suspected of breaching U.S. Postal Service computer networks, Employee data compromised

Security-breach-600x480

The postal service began notifying employees on Monday. The agency is providing free credit-monitoring services for one year.

Chinese government hackers are suspected of breaching the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees.

The intrusion was discovered in mid-September, said officials, who declined to comment on who was thought to be responsible. The FBI is leading the investigation into the hack.

The news, announced by U.S. Postal Service, came as President Obama arrived Monday in Beijing for high-level talks with his counterpart, President Xi Jinping, as well as for an economic summit.

The Chinese government has consistently denied accusations that it engages in cybertheft and notes that Chinese law prohibits cybercrime.

Intrusions were discovered earlier this year into systems of the Office of Personnel Management and of a contractor, USIS, that conducts security-clearance checks. Both cases were also linked to China, said individuals familiar with the investigations.

The United States has elevated cybersecurity as a top issue in the bilateral relationship with China, and senior officials now raise it every time they meet with their counterparts in Beijing.

The intrusion was carried out by “a sophisticated actor that appears not to be interested in identity theft or credit card fraud,” USPS spokesman David Partenheimer said.

“It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity,” Postmaster General Patrick Donahoe said in a statement. “The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data.”

November 10, 2014 Employee Handout - courtesy of Philadelphia APWU Member

November 10, 2014 Employee Handout – courtesy of Philadelphia APWU Member

The compromised data included names, dates of birth, Social Security numbers, addresses, dates of employment and other information, officials said. Every employee from the letter carrier to the postmaster general was exposed.

But no customer credit card information from post offices or online purchases at usps.com was breached, they said.

While the OPM and USIS breaches involved data of people who had gone through security clearances and so could be useful to a foreign government seeking to gain access to individuals in sensitive government work, it is not clear why Postal Service employees would be of such interest.

But some analysts say that targeting a federal agency such as the post office makes sense for China as an espionage tool. For one thing, the Chinese may be assuming that the U.S. Postal Service is more like theirs — a state-owned entity that has vast amounts of data on its citizens, said James A. Lewis, a cyber-policy expert at the Center for Strategic and International Studies. Second, he said, the trend in intelligence is the same as in the commercial sector: amass big sets of data that can be analyzed for previously unknown links or insights.

“They’re just looking for big pots of data on government employees,” Lewis said. “For the Chinese, this is probably a way of building their inventory on U.S. persons for counterintelligence and recruitment purpose.”

Such data may also be helpful in non-cyber espionage, said Steven Chabinsky, a former FBI official and now chief risk officer for CrowdStrike, a cybersecurity firm. “It’s not all about hackers. Having information about real live people could help them with on-the-ground operations.”

It is also possible that the Chinese were after other types of data, analysts said. For instance, the U.S. Postal Service, at the request of law enforcement officials, takes pictures of all addressing information from envelopes and parcels.​

The U.S. government has strongly urged the Chinese to refrain from hacking U.S. companies to steal corporate secrets that can benefit Chinese industries. This case appears to be more like traditional espionage, which is what the United States engages in with respect to China.

Still, “it’s perfectly appropriate for us to do everything we can to embarrass and punish the Chinese if they’re in our systems, whether or not we’re in theirs,” said former National Security Agency general counsel Stewart A. Baker. “It’s the case that the U.S. and Russia and other countries are much more cautious about getting caught because they think there are going to be consequences. It’s only the Chinese that think there are no consequences to getting caught.”

The Postal Service was notified of the breach by the FBI and other federal agencies in mid-September. Planning to deal with the hack began immediately, but the actual remediation did not take place until the weekend.

“Acting too quickly could have caused more data to be compromised,” Partenheimer said.

New safeguards were put in place over the weekend to try to prevent future compromises, he said. That process caused intermittent system outages and slowed the delivery of external e-mail, he said.

The Department of Homeland Security’s Computer Emergency Readiness Team helped with the mitigation, as it did with the OPM and USIS hacks.

The Postal Service breach needs to be seen as part of a continuous series of efforts to target the government, experts say. “It shows the continuing proposition that no matter how many billions of dollars the federal government puts in place and no matter how many regulations U.S. agencies put in place, the federal government remains as vulnerable as the private sector,” Chabinsky said.

The breach also affected the data of customers who contacted the Postal Service Customer Care Center via phone or e-mail between Jan. 1 and Aug. 16, officials said. The data affected included names, e-mail addresses and phone numbers, but not social security numbers, they said. Officials said they did not believe customers needed to take any action as a result of that.

However, FBI spokesman Joshua Campbell said any suspected instances of identity theft should be reported to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

The postal service began notifying employees on Monday. The agency is providing free credit-monitoring services for one year.

via China suspected of breaching U.S. Postal Service computer networks – The Washington Post.

Leave a Reply

Required fields are marked *