For nearly two months, after suspicious activity was detected on postal service networks, employees and customers remained in the dark about the potential that their data had been compromised.
The delay drew criticism from Congress at a House oversight hearing, today.
"I am very disappointed in the way you handled this… you have to be more forthcoming,” Rep. Stephen Lynch (D-MA) scolded U.S. Postal Service officials testifying at the hearing.
Investigators say, however, they needed the time to determine exactly what data had been compromised, if the data had been taken and how stop the incursion.
The data breach which compromised the personal information of more than 800,000 employees was first detected by U.S. Computer Emergency Readiness Team (US-CERT) on September 11.
However, it took until October 16 to learn that data had indeed been compromised and until November 4 to confirm data had been taken, according to testimony by top U.S. Postal Service cyber-security official Randy Meskanic. Employees were first informed that their data was a stolen on November 10.
The employee data included names, dates of birth, social security numbers, addresses dates of employment other information. Credit monitoring services are being provided to impacted employees out of an abundance of caution.
Upon being notified of a potential breach by US-CERT on September 11, investigators worked in secret at the urging of the FBI to keep what they believed was a “sophisticated” adversary from learning they had been detected, Meskanic said.
The FBI warned that making the breach public, “could result in the threat being further embedded into the Postal Service network,” Meskanic testified.
Rep. Lynch bristled at the secrecy saying that potentially impacted employees and customers had a right to know sooner. “The secret squirrel stuff … that doesn’t fly,” Lynch said.
Though the initial breach is believed to have involved four servers, Meskanic told the committee that “approximately 100 servers and their workstations were compromised.”
The U.S. Postal Service also believes that some basic customer information was compromised. That data includes 2.9 million customer complaints stored on a compromised server which held name, address, phone and email information for those customers.
While complaint information appears to have been pilfered, investigators do not believe customer credit information was lost.
"At this time, we do not believe that Postal Service transactional revenue systems in Post Offices, as well as on usps.com where customers pay for services with credit and debit cards, were affected by this incident. There is no evidence that any customer credit card information from retail or online purchases, change of address or other services was compromised,” Miskanic said in his testimony.