The U.S. Postal Service is the latest victim in a busy year of data breaches. According to a CNN report, hackers recently broke into a U.S. Postal Service computer system and stole personal data, including Social Security numbers, for 750,000 employees and retirees, also compromising the data of 2.9 million postal service customers.
USPS acknowledged the breach in a statement Monday: “The Postal Service has recently learned of a cyber-security intrusion into some of our information systems. We began investigating this incident as soon as we learned of it, and we are cooperating with the investigation, which is ongoing. The investigation is being led by the Federal Bureau of Investigation and joined by other federal and postal investigatory agencies. The intrusion is limited in scope and all operations of the Postal Service are functioning normally.”
The personal information of the 750,000 employees and retirees include birthdates, addresses and employment codes. Customer data affected includes names, home addresses, phone numbers and emails.
"We're hearing a steady drumbeat of data breaches," says Dave Frymier, CISO for Unisys. "These attacks have been going on for quite a while, but now our detection is getting better," which is why more data breaches are being reported. Frymier says that the industry's growing adoption and use of security information and event management (SIEM) systems has led to more identification of when traffic patterns are abnormal or suspect.
Another problem, which could be connected to the USPS breach, he says, is the universal availability and access to data.
"Everyone wants access to everything from everywhere," Frymier says. "This has not served us well. Only 5 to 15 percent of data is truly important, the crown jewels, much more important than the emails and day-to-day operations that make up the bulk of data in an enterprise. There's a trade-off between convenience and corporate data protection," he adds.
To move forward, Frymier suggests implementing several best practices, including identifying the corporate "crown jewels" of data, restricting access to that data to personnel who truly need to access it ("Your sales team should not have access to the human resources database," for example), and using encryption to hide important data from malicious actors.
"We have to get back to classic security methods: hiding and protecting the keys to the business," he says.