US Postal Service latest to be hit by data breach
Earlier this week the US Postal Service (USPS) posted a statement on their website stating that attackers had broken into their systems and stolen confidential information including Social Security numbers, names and date of birth of employees. Customers were also targeted; various forms of personally identifiable information such as names, phone numbers and email addresses were also stolen.
Whilst the USPS has not disclosed the number of customers and employees affected, various unofficial sources put the number of employees affected at around 800,000. The number of customers affected is probably around 3 million; any customers that contacted the Postal Service Customer Care Centre via email or phone between 1st January 2014 and 16th August 2014 are potentially affected.
As part of a clampdown on security, USPS has shutdown the Virtual Private Network (VPN) that USPS employees use to remotely access the USPS network. The VPN was shutdown in part due to an identified vulnerability to attack. According to the FAQ for employees, the VPN “will remain unavailable as we work to make modifications to this type of remote access to our networks.”
There has been speculation on who was responsible for the data breach, but as yet, this is unknown. Currently several agencies, including the FBI and the Department of Justice, are investigating the breach.
The USPS breach is another in a string of data breaches stretching back to the Target data breach in late 2013. There was also the Home Depot data breach, which is ongoing at present. JP Morgan, UPS stores and Kmart have also been hit this year.
As was seen with the Target data breach, attackers often use phishing emails as a first point of attack. Spear phishing (where the attackers target specific individuals) offer a fruitful means of gaining access, and as a report released by Google (written jointly by Google and the University of California) shows, up to 45% of users are tricked by high quality phishing sites.