The United States Postal Service is continuing its investigation around a cyber attack at the agency that managed to compromise the information of both employees and customers earlier this year.
The USPS announced in a statement on Monday that it recently fell victim to a “cyber intrusion incident” and that it was working with the Federal Bureau of Investigation (F.B.I.) to learn more about the attack.
Roughly 800,000 employees were affected by the breach. Their names, dates of birth, Social Security numbers, addresses, emergency contact information and beginning and ending dates of employment may have been leaked as a result of the incident, according to the USPS.
The agency claims the intrusion also appears to have affected any customers who contacted the USPS’ Customer Care Center, either via email or phone, from Jan. 1 to Aug. 16. Customers’ names, addresses, telephone numbers, email addresses and other information users may have provided may have been leaked, but the USPS is stressing users don’t need to take action just yet.
“All operations of the Postal Service are functioning normally,” USPS spokesman David Partenheimer stressed in the statement.
It’s unclear exactly when the U.S. Post Office became aware of the intrusion but according to a letter sent from one U.S. representative, the agency allegedly told members of Congress back on October 22.
Rep. Elijah Cummings (D-Md.) sent a letter to the Postmaster General Patrick Donahoe on Monday asking for more information regarding the attack and cited classified briefings made to the House Committee on Oversight and Government Reform on both October 22 and November 7.
Cummings asked Donohoe for a more detailed description of the attack, when and how it happened, what exactly was breached and why it went undetected as long as it did.
The USPS didn’t state whether malware or a separate vulnerability was exploited to carry out the breach but experts suspect an application security weakness is to blame.
“It would not be surprising to learn that this attack, like other recent attacks, leveraged weaknesses in application software,” Jeff Williams, the CTO and Cofounder of Contrast Security said Tuesday, “Application security is considerably worse in government systems than in the financial sector.”
The Washington Post, citing unnamed officials, claims Chinese government hackers may be behind the attack yet Partenheimer could only attribute the attack to a “sophisticated actor” on Monday.
Cummings cited another hack that recently targeted ‘tens of thousands’ of federal employees in his letter. Attackers managed to infiltrate servers belonging to USIS, a private contractor that conducts background checks for the Department of Homeland Security in August. At the time the service claimed the attack had “all the markings of a state-sponsored attack.”
Although to a lesser extent, the USPS joins companies like Target, Kmart, and Home Depot in announcing breaches this year.
“It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity,” Postmaster General Patrick Donahoe said in a separate statement. “The United States Postal Service is no different.”