WASHINGTON — The Postal Service was the victim of a cyber attack that may have compromised the personal information of more than 800,000 employees, as well as data on customers who contacted its call center during the first eight months of this year.
Employee data may include names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information, the Postal Service said Monday.
“The intrusion is limited in scope, and all operations of the Postal Service are functioning normally,” USPS spokesman David Partenheimer said.
The intrusion may have compromised data on people who contacted the Postal Service Customer Care Center by telephone or email from January through Aug. 16, he said.
Partenheimer said the attack was carried out by a “sophisticated actor” not interested in identity theft or credit card fraud.
Cybersecurity experts said it was too soon to know who was behind the attack but agreed the Postal Service was a rich target.
“There's a lot of information there, and it has great value,” to nation-states like China or cybercriminals in Russia,” said George Kurtz, chief executive of cybersecurity firm CrowdStrike.
“The U.S. Post Office moves billions of letters each year, and all of that is captured digitally,” Kurtz said. “The information flow of where letters and packages and correspondence are going and who is talking to whom is very interesting to them.”
The Postal Service has about 8,000 employees in Western Pennsylvania, spokesman Tad Kelley said.
“However, at this time, there is no information indicating any were affected by the intrusion into our corporate information system,” he said.
As security breaches go, the Postal Service's is relatively small, said David Thaw, an assistant professor of law and information sciences at the University of Pittsburgh. Private company data breaches often involve millions of people's records.
“There are eight that we know of that were in the hundreds of millions and two more that were just under 100 million,” he said.
The Postal Service should be concerned about the hackers matching the employees' records to other information, said Albert Whale, president of Pittsburgh-based IT Security Inc.
The Postal Service said it would pay for employees to get credit monitoring services for one year. The breach did not affect credit card data from retail or online services including Click-N-Ship, the Postal Store, PostalOne! or change of address services, it said.
Employee data breaches often come ahead of a wider attack.
Edward Ferrara, vice president at Forrester Research, said the data could be used to launch secondary phishing attacks or to gain information about government cyber defenses.
The FBI is leading the investigation. A bureau spokesman declined to provide details.