It appears that USPS has left Members of Congress, unions, postal employees and customers in the dark on the cyber attack.

Congressman Darrell Issa said yesterday that USPS knew of the cyber attack two months ago.

American Postal Workers Union president Mark Dimondstein said he found out yesterday.

National Association of Letter Carriers president Fredric Rolando said yesterday:  “At 9 o’clock this morning, NALC received the following information on the cyber breach that compromised Postal Service employees’ personal and employment information. This is the first we heard of the cyber intrusion. NALC will continue to monitor this situation and report on any new developments.”

National Postal Mail Handlers Union (NPMHU) found out yesterday: “On November 10, 2014, the United States Postal Service notified the NPMHU of a cyber-intrusion into some of its information systems.est assured that the NPMHU is doing everything possible to ensure that the Postal Service takes appropriate steps to minimize the adverse effects of this privacy failure. Watch your bulletin boards, U.S. Mail and Union publications for additional information.”

National Association of Postal Supervisors did not mention as to when they were notified: “NAPS HQ was informed by USPS HQ officials that a cyber-breach of USPS employee data occurred. NAPS will continue to consult with the Postal Service on any further developments regarding this situation and will relay this information to the membership as we receive it.”

The National Association of Postmasters of the United States (NAPUS) and the National League of Postmasters as of today  have not released any statements to its members. Both groups are quieter than the night before Christmas.

It appears Postmaster General Patrick Donahoe’s message  was in the final stages last week.

and now Congressman Elijah Cummings is requesting additional information after USPS briefed members of Congress on October 22, and November 7, 2014.  Here is what Cummings is requesting:

(November 10, 2014) Washington, D.C. —Following two classified briefings previously provided by the Postal Service to staff of the House Committee on Oversight and Government Reform, Ranking Member Elijah E. Cummings sent a letter today to Postmaster General Patrick Donahoe requesting additional information about a recent cyber-attack against the Postal Service.

This cyber-attack follows similar attacks at Home Depot, K-Mart, Target, JPMorgan Chase, and Community Health Systems.

Federal contractors have also been targeted, including USIS, the nation’s largest private provider of federal background investigations.

Cummings has been calling for enhanced oversight of cyber-attacks for the past year. These attacks and others have reportedly affected millions of American consumers.

“The increased frequency and sophistication of cyber-attacks upon both public and private entities highlights the need for greater collaboration to improve data security,” Cummings wrote in his letter today.

He also cited reports that 500 million records have been stolen from various financial institutions as a result of cyber-attacks over the past year, according to federal law enforcement officials.

In his letter today, Cummings requested information about the scope of the cyber-attack, including the types of data breached, the number of employees and customers potentially affected, findings about vulnerabilities to computer systems, and data protection improvement measures taken since discovering the breach.

see below for a copy of the letter:

November 10, 2014

The Honorable Patrick R. Donahoe
Postmaster General and Chief Executive Officer
United States Postal Service
475 L’Enfant Plaza SW
Washington, D.C. 20260

Dear Postmaster General Donahoe:

I am writing to request additional information about the cyber-attack announced publicly today by the Postal Service.

First, I would like to thank you for the two fulsome briefings that were provided by Postal Service officials to our Committee staff on October 22 and November 7, 2014, before this cyber-attack was made public. The information provided in these classified settings was helpful in conveying information about the potential attackers in this case and the possible scope of their destructive actions.

The increasing number of cyber-attacks in both the public and private sectors is unprecedented and poses a clear and present danger to our nation’s security. For example, USA Today recently ran a front-page story reporting that 500 million records have been stolen from various financial institutions as a result of cyber-attacks over the past year, according to federal law enforcement officials. The report stated:

Federal officials warned companies Monday that hackers have stolen more than 500 million financial records over the past 12 months, essentially breaking into banks without ever entering a building.[1]

The report also explained that law enforcement officials believe the “U.S. financial sector is one of the most targeted in the world.”[2]

Large companies such as Home Depot, Target, K-Mart, and Community Health Partners—one of the nation’s largest hospital chains—have also been the victims of cyber-attacks in the past year.[3]

Federal contractors have also been targeted, including USIS, the nation’s largest private provider of federal background investigations. USIS’s network was penetrated in August, compromising the personal information of tens of thousands of federal employees. During a hearing before our Committee in September, the director of the U.S. Computer Emergency Readiness Team testified that malware attacks are “very frequent” and “happen every day across the globe on the Internet.”[4]

The increased frequency and sophistication of cyber-attacks upon both public and private entities highlights the need for greater collaboration to improve data security. The Postal Service’s knowledge, information, and experience in combating data breaches will be helpful as Congress examines federal cybersecurity laws and any necessary improvements to protect sensitive consumer and government financial information.

For these reasons, I request that the Postal Service provide the following information:

1. a description of the cyber-attack, including the date and the manner in which it was first discovered, the dates the attack is believed to have begun and ended, and the actions you took after learning of this attack;

(2) the types of data breached, the number of employees and customers potentially affected, the manner in which employees and customers were notified of the breach, and the scope of any fraudulent transactions that resulted from the breach;

(3) the findings from forensic investigative analyses or reports concerning the breaches, including findings about vulnerabilities to malware, the use of data segmentation to protect Personally Identifiable Information (PII), and why the breach went undetected for the length of time it did;

(4) a description of data protection improvement measures the Postal Service has undertaken since discovering the breaches;

(5) a description of the data security policies and procedures that govern your relationships with vendors, third-party service providers, and subcontractors, including the manner by which you ensure that entities performing work on your behalf have reasonable data security controls in place to thwart cyber-attacks; and

(6) any recommendations for improvements in cybersecurity laws or the coordination of efforts to identify and respond to emerging trends in cybersecurity risks to help prevent future data breaches.

Please provide the requested information by December 19, 2014. If you have any questions about this request, please contact Timothy D. Lynch at (202) 225-0312.

Sincerely,

Elijah E. Cummings

Ranking Member

cc: The Honorable Darrell E. Issa, Chairman

 

 

 

• Video: Postmaster General’s message to employees regarding the cyber inciden
• APWU files Labor charges against USPS over lack of info on security breach
• For employees:USPS Q & A on cyber intrusion and employee data compromise November 10, 2014
• For customers: USPS Q & A on cyber intrusion,employee data compromise, if customers are affected data November 10, 2014
• USPS Statement on Cyber Intrusion Incident November 10, 2014
• Congressmen want answers on why USPS waited two months to tell victims of data breach