The U.S. Postal Service said today it had been the victim of a data breach this fall, but that the intrusion did not involve credit or debit card data of customers making retail and online purchases from USPS services like Click-N-Ship. However it did involve hackers gaining access to personal information of USPS employees and customers, the latter through the USPS call center.
The USPS data breach, which the agency said took place sometime after suspicious activities were noticed in mid-September, affected more than 800,000 people. In addition to USPS employees and retirees, the breach affected employees of the Postal Regulatory Commission, the U.S. Postal Inspection Service and the Postal Service Office of Inspector General.
“Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data,” Postmaster General Patrick Donahoe said in a statement.
David Partenheimer, manager of media relations for the USPS, said the investigation into the incident is being led by the Federal Bureau of Investigation in conjunction with other federal and postal investigatory agencies. He added the intrusion is limited in scope and did not impact any USPS operations.
Partenheimer said the attack appeared similar in nature to other federal government data breaches earlier this year. A White House official told the Wall Street Journal in October that its computers had been targeted by hackers, and an apparent breach of computer systems at the federal Office of Personnel Management was investigated in July.
Information potentially compromised included personally identifiable information about current and former USPS employees and regulators, including names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment, emergency contact information and other information.
Sometime after the USPS became aware of suspicious activity in mid-September, Partenheimer said hackers made their way into its information systems. While the USPS took immediate action, including the use of cyber experts to investigate the attack and try to stop it, he said the public announcement is being made now because an earlier notice could have jeopardized the investigation and caused additional harm to information files.
“Postal Service transactional revenue systems in Post Offices, as well as on usps.com where customers pay for services with credit and debit cards, have not been affected by this incident,” Partenheimer said. “There is no evidence that any customer credit card information from retail or online purchases such as Click-N-Ship, the Postal Store, PostalOne!, change of address or other services was compromised.”
The intrusion also compromised call center data for customers who contacted the Postal Service Customer Care Center with an inquiry via telephone or e-mail between Jan. 1, 2014, and Aug. 16, 2014. This included their names, addresses, telephone numbers, email addresses and other information.
“At this time, we do not believe that potentially affected customers need to take any action as a result of this incident,” Parteinheimer said.
The USPS has recently implemented additional security measures designed to improve the security of its information systems, Partenheimer said, some of which caused certain systems to be offline this past weekend as the breach was dealt with.