Postal Service target of breach |

Postal Service target of breach

WASHINGTON — The Postal Service was the victim of a cyber attack that may have compromised the personal information of more than 800,000 employees, as well as data on customers who contacted its call center during the first eight months of this year.

Employee data may include names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information, the Postal Service said Monday.

“The intrusion is limited in scope, and all operations of the Postal Service are functioning normally,” USPS spokesman David Partenheimer said.

The intrusion may have compromised data on people who contacted the Postal Service Customer Care Center by telephone or email from January through Aug. 16, he said.

Partenheimer said the attack was carried out by a “sophisticated actor” not interested in identity theft or credit card fraud.

Cybersecurity experts said it was too soon to know who was behind the attack but agreed the Postal Service was a rich target.

“There’s a lot of information there, and it has great value,” to nation-states like China or cybercriminals in Russia,” said George Kurtz, chief executive of cybersecurity firm CrowdStrike.

“The U.S. Post Office moves billions of letters each year, and all of that is captured digitally,” Kurtz said. “The information flow of where letters and packages and correspondence are going and who is talking to whom is very interesting to them.”

The Postal Service has about 8,000 employees in Western Pennsylvania, spokesman Tad Kelley said.

“However, at this time, there is no information indicating any were affected by the intrusion into our corporate information system,” he said.

As security breaches go, the Postal Service’s is relatively small, said David Thaw, an assistant professor of law and information sciences at the University of Pittsburgh. Private company data breaches often involve millions of people’s records.

“There are eight that we know of that were in the hundreds of millions and two more that were just under 100 million,” he said.

The Postal Service should be concerned about the hackers matching the employees’ records to other information, said Albert Whale, president of Pittsburgh-based IT Security Inc.

The Postal Service said it would pay for employees to get credit monitoring services for one year. The breach did not affect credit card data from retail or online services including Click-N-Ship, the Postal Store, PostalOne! or change of address services, it said.

Employee data breaches often come ahead of a wider attack.

Edward Ferrara, vice president at Forrester Research, said the data could be used to launch secondary phishing attacks or to gain information about government cyber defenses.

The FBI is leading the investigation. A bureau spokesman declined to provide details.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.