Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Postal Service Hacked, 500k+ Employees and Public Data Breached

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes "The U.S. Postal Service has admitted that it has suffered a massive security breach, with the disclosure to hackers of the personal details of over 500,000 USPS workers, along with details supplied by members of the public when contacting Postal Service call centers between January and mid-August of 2014. The breach is a hard blow to the integrity and reputation of the USPS's internal security set-up, the Corporate Information Security Office (CISO). In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network, 66,734 attempts to distribute credit-card information, 1,278 attempts to reveal USPS-ordained credit-card transactions and 345,342 attempts to distribute social security numbers.

27 of 46 comments (clear)

  1. 2015? by log0n · · Score: 1

    First 2015 post?

    1. Re:2015? by gameboyhippo · · Score: 3, Funny

      Good thing someone came from the future to warn us. Whew!

    2. Re:2015? by zlives · · Score: 1

      now this is kind of govt program i can support... are you listening in NSA?

    3. Re:2015? by Applehu+Akbar · · Score: 1

      Yes, because it will take at least that long for the USPS breachers to print out millions of fake mortgage and credit card applications, address that many envelopes, and then stamp and mail them. Data breaches involving nineteenth-century technology are not for the faint of heart. Perhaps the ring will be exposed when hackers will be anonymously dumped off at hospitals with serious cases of writers' cramp. Police will then be able to follow trails of horse poop back to their stables.

    4. Re:2015? by Sir_Eptishous · · Score: 1

      Mod points!

      --
      We play the game with the bravery of being out of range
  2. Finally catching up with the private sector by Anonymous Coward · · Score: 1

    It's good to see a government agency innovating their data privacy breaches to keep pace with private sector companies like Target and Home Depot.

  3. January to August 2015? by GungaDan · · Score: 3, Funny

    The USPS *is* the future.

    --
    Eloi are stupid, throw morlocks at them!
  4. 257 billion attempts? by Anonymous Coward · · Score: 1

    Good grief. I guess persistence does pay off in the end.

  5. Not to worry, then. by Anonymous Coward · · Score: 4, Funny

    From TFS: "when contacting Postal Service call centers between January and mid-August of 2015."

    No worries, there's over a month to get it fixed before that.

  6. Never gloat by Bugler412 · · Score: 3, Insightful

    Never, ever, anywhere should you gloat about your security, we are ALL vulnerable. If you think otherwise and gloat about it you only increase your risk.

    1. Re:Never gloat by justsomecomputerguy · · Score: 2

      "Never, ever, anywhere should you gloat about your security, we are ALL vulnerable. If you think otherwise and gloat about it you only increase your risk." Signed, Colonel Klink.

    2. Re:Never gloat by imatter · · Score: 1

      I don't think you got the accent right.

  7. Re:What leaked? by Falos · · Score: 1

    Oh, and CC#'s? They're a dime a dozen.

    Non-figuratively.

    http://yro.slashdot.org/story/...

  8. Dear samzenpus: by bmimatt · · Score: 1

    I for one *love* news from the future. Please post more.

  9. NSA didn't warn USPS? by BoRegardless · · Score: 1

    How about the NSA identifying open doors in US Gov't entitity's systems!

  10. USPS Creed by Sir_Eptishous · · Score: 1

    2015? No problem:
    "Neither snow nor rain nor heat nor gloom of night nor wormholes stays these couriers from the swift completion of their appointed rounds"

    --
    We play the game with the bravery of being out of range
  11. You never..... by Rick+Zeman · · Score: 1

    "In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network, 66,734 attempts to distribute credit-card information, 1,278 attempts to reveal USPS-ordained credit-card transactions and 345,342 attempts to distribute social security numbers." ...hear the bullet that hits you.

  12. Seems about right by g1powermac · · Score: 1

    Being a former USPS employee, this just seems about right. The USPS, at least at the local post office level, has a mismatch of crazy tight security or almost nothing at all. I mean everything is watched (or believed to be watched) at the post office, but then once your mail leaves the office, the carrier can do practically anything he or she wants to do with it. Of course there's laws against this, but still, there's no security, nothing, once the truck leaves the office. No GPS, no cameras, nothing. And if you're a rural carrier, no one inspects your vehicle to make sure you cleared all mail from it. So this type mismatched security probably follows upward to the higher offices.

    1. Re:Seems about right by ruir · · Score: 1

      In dealing with mail offices, I have found that pretty much there is no *consistency* on the service. Depending on the post office, I can get a horrible service, can go to another where they do no fucking care about servicing their customers, or can go to another where their standards are better than most private offices.

  13. "Distribute"?? by Radical+Moderate · · Score: 1

    " 66,734 attempts to distribute credit-card information..and 345,342 attempts to distribute social security numbers."

    Is there a definition of distribute that I'm not aware of? If I break into a bank, I'm not trying to distribute a million dollars. Who are these hackers, Robin Hood?

    --
    Never let a lack of data get in the way of a good rant.
    1. Re:"Distribute"?? by Anonymous Coward · · Score: 1

      Any security industry professional would recognise these numbers for what they are - random statistics dragged out of intrusion detection sensors and (in this example) data loss prevention (DLP) systems. DLP is kind of like a website filter in reverse, blocking the upload of any data that matches a credit card or social security number pattern (regular expression) through web or email to external parties.

      The don't mean a person prevented or investigated anything, typically 99% of these are preventing staff "accidents" (stupidty) or false positives...

    2. Re:"Distribute"?? by ZeroWaiteState · · Score: 1

      Actually, in most cases a DLP is a "blinking light box" and that's about it. The CISO guy can walk into the cold server room, hmmmm to himself and feel warm all over watching the lights blink, then check his little box and go grab a frappi. All an HR guy who can't stop clicking @#$t has to do is log into the corporate VPN and download a password-protected Excel file with social security numbers to his virus-infected laptop and away we go. The fancy blinking light box will be no match for the clever Excel encryption, but the keylogger on said laptop will have no such problem. All ur ssn's r belong 2 us. Millions of dollars of security down the toilet. Grown men throwing tantrums. Hair loss. Class-action settlements. Lifelock commercials. Next time we will do better. In accordance with established best practices and under vigorous, relentless oversight, we will buy a much bigger blinking light box.

  14. Vote? by Known+Nutter · · Score: 1

    When I consider all of the "online voting" stories and ideas that float around during election time, I am forced to think of stories like this one.

    --
    Beware of the Leopard.
    1. Re:Vote? by ZeroWaiteState · · Score: 1

      Obamacare project managers put the website into production knowing they had only 60% functionality and a broken security model, to the point where they had to sign an addendum absolving the federal contractor from liability. Polling officials can't even calibrate a voting machine touch screen correctly in some cases. Many people believe you shouldn't even have to provide any identification to vote, as it theoretically disenfranchises people who can't afford IDs. Good luck implementing online voting.

  15. We shouldn't count Zone Alarm alerts.. by Sadsfae · · Score: 1

    In 2012 CISO reports that it blocked 257 billion unauthorized attempts to access the USPS network

    Post Office Zone Alarm alerts for Windows 98SE sitting on public IP address space shouldn't be counted in my opinion.

    --
    Have a squat over at the hobo house.
    1. Re:We shouldn't count Zone Alarm alerts.. by networkzombie · · Score: 2

      So they were attacked, on average, 8,149 times per second for a year? I thought my logs were bad. They should call that guy and tell him to stop!

  16. Re:What leaked? by Dishevel · · Score: 1

    I just want to know how I can upload all of my medical data to them.

    --
    Why is it so hard to only have politicians for a few years, then have them go away?