US Postal Service Suffers Massive Data Breach, Over 800K Employees And Customers Exposed

Most of the time, when we hear about data breaches, it's because companies have either been compromised or failed to properly protect data. This time around, however, it's the United Postal Service in the limelight. Data on as many as 800,000 employees may have been stolen along with data on customers who called the USPS' various call centers between January and August of this year.

USPS spokesperson David Partenheimer told Reuters that "The intrusion is limited in scope and all operations of the Postal Service are functioning normally." What appears to set this attack apart from most other intrusions is that the attackers apparently weren't interested in either identity theft or credit card fraud.

That's actually a little surprising, given the scope of the operations that the Post Office oversees. If you get mail -- and 99.9% of us do, even if it's junk -- the Post Office has a record of your name and address. While these details aren't sufficient to initiate complete identity theft, many security questions and basic forms of ID rely on them. Getting access to this information -- as well as possibly a web of data on who sends packages to whom -- could be useful to nation-states who want to track the actions of specific targets.

This attack is small compared to the corporate data breaches that have affected tens of millions of people, but the specificity of the attack and its apparent sophistication point to more worrying motives. Criminals who use stolen identities to make fraudulent purchases are a definite problem, but we have corporate fraud detection schemes in place to detect them and limit the damage to the individual consumer.

USPS headquarters, Washington DC

Stealing data from the Post Office for non-financial reasons is something entirely different, and as much as I think the concept of "cyberwar" is oversold on Capitol Hill (and played to ridiculous lengths in Hollywood), it's impossible to ignore the fact that yes, there are other countries sponsoring teams of hackers working to actively steal secrets and support their own states in duplicitous conduct. At the very least, it's an extension of the types of intelligence work that governments regularly engaged in throughout the 20th century, and security measures need to be taken to ensure classified information doesn't leak into the wrong hands.

There’s no word yet on who may have perpetrated the attack, or exactly what the infection vector was.  Congress has requested more information from the USPS on the attack, with Representative Elijah Cummings writing "The increased frequency and sophistication of cyber-attacks upon both public and private entities highlights the need for greater collaboration to improve data security."