US Postal Service Hacked, 500k+ Employees and Public Data Breached

An anonymous reader writes "The U.S. Postal Service has admitted that it has suffered a massive security breach, with the disclosure to hackers of the personal details of over 500,000 USPS workers, along with details supplied by members of the public when contacting Postal Service call centers between January and mid-August of 2014. The breach is a hard blow to the integrity and reputation of the USPS's internal security set-up, the Corporate Information Security Office (CISO). In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network, 66,734 attempts to distribute credit-card information, 1,278 attempts to reveal USPS-ordained credit-card transactions and 345,342 attempts to distribute social security numbers.

2015?

[log0n]

First 2015 post?

Re:2015?

[gameboyhippo]

Good thing someone came from the future to warn us. Whew!

Re:2015?

[zlives]

now this is kind of govt program i can support... are you listening in NSA?

Re:2015?

[Applehu+Akbar]

Yes, because it will take at least that long for the USPS breachers to print out millions of fake mortgage and credit card applications, address that many envelopes, and then stamp and mail them. Data breaches involving nineteenth-century technology are not for the faint of heart. Perhaps the ring will be exposed when hackers will be anonymously dumped off at hospitals with serious cases of writers' cramp. Police will then be able to follow trails of horse poop back to their stables.

Re:2015?

[Sir_Eptishous]

Mod points!

Finally catching up with the private sector

It's good to see a government agency innovating their data privacy breaches to keep pace with private sector companies like Target and Home Depot.

January to August 2015?

[GungaDan]

The USPS *is* the future.

Re:January to August 2015?

Thankfully very few people are masochists enough to call the USPS on the phone, so silver lining.

Re:January to August 2015?

You can't call them on the phone (local) directly anymore. The only number that seems to work is the 800 number.

257 billion attempts?

Good grief. I guess persistence does pay off in the end.

Total value stolen: $0

Negative really.

Mid-August of 2015?

Hackers from the FUTURE!

Re:Mid-August of 2015?

Good thing it wasn't mid-October. We might've seen some serious shit.

Not to worry, then.

From TFS: "when contacting Postal Service call centers between January and mid-August of 2015."

No worries, there's over a month to get it fixed before that.

What leaked?

[Falos]

> the personal details
Home address? Worthless shit.
Annual salary? Meh.
"Private" phone number? Oh woe, wail, the end of the world.
Social security number? Only the naive think these are never-leaked-superdupersecure, but now we're talking serious.
Security credentials? Man the harpoons.

Re:What leaked?

[Falos]

Oh, and CC#'s? They're a dime a dozen.

Non-figuratively.

http://yro.slashdot.org/story/...

Re:What leaked?

[Dishevel]

I just want to know how I can upload all of my medical data to them.

Never gloat

[Bugler412]

Never, ever, anywhere should you gloat about your security, we are ALL vulnerable. If you think otherwise and gloat about it you only increase your risk.

Re:Never gloat

[justsomecomputerguy]

"Never, ever, anywhere should you gloat about your security, we are ALL vulnerable. If you think otherwise and gloat about it you only increase your risk." Signed, Colonel Klink.

Re:Never gloat

[imatter]

I don't think you got the accent right.

2015

Slashdot lay off the dabs

Dear samzenpus:

[bmimatt]

I for one *love* news from the future. Please post more.

NSA didn't warn USPS?

[BoRegardless]

How about the NSA identifying open doors in US Gov't entitity's systems!

Re:NSA didn't warn USPS?

because they're the ones that opened the door, duh!

USPS Creed

[Sir_Eptishous]

2015? No problem:
"Neither snow nor rain nor heat nor gloom of night nor wormholes stays these couriers from the swift completion of their appointed rounds"

You never.....

[Rick+Zeman]

"In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network, 66,734 attempts to distribute credit-card information, 1,278 attempts to reveal USPS-ordained credit-card transactions and 345,342 attempts to distribute social security numbers." ...hear the bullet that hits you.

Private vs. Public

[RyoShin]

See, the government can do just as good a job as private corporations like Home Depot or Target when it comes to storing sensitive data!

Seems about right

[g1powermac]

Being a former USPS employee, this just seems about right. The USPS, at least at the local post office level, has a mismatch of crazy tight security or almost nothing at all. I mean everything is watched (or believed to be watched) at the post office, but then once your mail leaves the office, the carrier can do practically anything he or she wants to do with it. Of course there's laws against this, but still, there's no security, nothing, once the truck leaves the office. No GPS, no cameras, nothing. And if you're a rural carrier, no one inspects your vehicle to make sure you cleared all mail from it. So this type mismatched security probably follows upward to the higher offices.

Re:Seems about right

[ruir]

In dealing with mail offices, I have found that pretty much there is no *consistency* on the service. Depending on the post office, I can get a horrible service, can go to another where they do no fucking care about servicing their customers, or can go to another where their standards are better than most private offices.

fubeta

fuobeta its so yukky

"Distribute"??

[Radical+Moderate]

" 66,734 attempts to distribute credit-card information..and 345,342 attempts to distribute social security numbers."

Is there a definition of distribute that I'm not aware of? If I break into a bank, I'm not trying to distribute a million dollars. Who are these hackers, Robin Hood?

Re:"Distribute"??

Any security industry professional would recognise these numbers for what they are - random statistics dragged out of intrusion detection sensors and (in this example) data loss prevention (DLP) systems. DLP is kind of like a website filter in reverse, blocking the upload of any data that matches a credit card or social security number pattern (regular expression) through web or email to external parties.

The don't mean a person prevented or investigated anything, typically 99% of these are preventing staff "accidents" (stupidty) or false positives...

Re:"Distribute"??

[ZeroWaiteState]

Actually, in most cases a DLP is a "blinking light box" and that's about it. The CISO guy can walk into the cold server room, hmmmm to himself and feel warm all over watching the lights blink, then check his little box and go grab a frappi. All an HR guy who can't stop clicking @#$t has to do is log into the corporate VPN and download a password-protected Excel file with social security numbers to his virus-infected laptop and away we go. The fancy blinking light box will be no match for the clever Excel encryption, but the keylogger on said laptop will have no such problem. All ur ssn's r belong 2 us. Millions of dollars of security down the toilet. Grown men throwing tantrums. Hair loss. Class-action settlements. Lifelock commercials. Next time we will do better. In accordance with established best practices and under vigorous, relentless oversight, we will buy a much bigger blinking light box.

Vote?

[Known+Nutter]

When I consider all of the "online voting" stories and ideas that float around during election time, I am forced to think of stories like this one.

Re:Vote?

[ZeroWaiteState]

Obamacare project managers put the website into production knowing they had only 60% functionality and a broken security model, to the point where they had to sign an addendum absolving the federal contractor from liability. Polling officials can't even calibrate a voting machine touch screen correctly in some cases. Many people believe you shouldn't even have to provide any identification to vote, as it theoretically disenfranchises people who can't afford IDs. Good luck implementing online voting.

Pretty good record, actually

1 breach out of over 257 billion attempts seems like a pretty good track record. That's a failure rate of 3.89E-12.

Doesn't sound like a "hard blow" at all. It sounds more like close to 12 9s of "uptime" when it comes to breach attempts.

If the private sector - let's say Target and all the other corporations that have been breached over the years - came anywhere near that kind of track record, we'd be celebrating it. But because it's government, of course, that's an unacceptable failure rate.

We shouldn't count Zone Alarm alerts..

[Sadsfae]

In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network

Post Office Zone Alarm alerts for Windows 98SE sitting on public IP address space shouldn't be counted in my opinion.

Re:We shouldn't count Zone Alarm alerts..

In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network

I have over a couple Terabytes logged in Solarwinds LEM from this year alone from attacks hitting us. the Hundreds of Billions of blocked attacks number is something anyone with a decent firewall log gets to claim.

Re:We shouldn't count Zone Alarm alerts..

[networkzombie]

So they were attacked, on average, 8,149 times per second for a year? I thought my logs were bad. They should call that guy and tell him to stop!

public data?

In the future public data also need to be hacked.
You have been warned.

Did they hit or would they tell

If they got into the Mail Isolation Control and Tracking program systems?

Another IBM fuckup?

IBM manages the USPS computer systems, they also manage Amtrak's systems, I worked for them and it was never disclosed to the public that Amtrak's PCI systems were breached.

Serves Them Right

After all.

Postal Service employees steal more than 2 trillion dollars US from USA citizens alone.

The amount they steal from Mexicans and Latinos is Gargantuan by proportion.

Hey hey hey

Stop blaming the credi^H^H^H^H^H, i mean the ban^H^H^H, I mean the retai^H^H^H^H^H, I mean the conglam^H^H^H^H^H^H, I mean the USPS.

They are a govt entity after all, and they have really, like slow turtles

- SK

But there is good news in this

Good news: The USPS is actually relevant to someone. That hasn't happened much this century.