Lynch, Unhappy With Postal Service Data Breach Response, Mulls Legislation

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.rollcall.com/technocrat/lynch-mulling-legislation-after-postal-service-data-breach/?dcz=

After a data breach affecting roughly 800,000 U.S. Postal Service employees
was made public earlier this month, the ranking Democrat on a House
Oversight & Government Affairs subcommittee signaled he was thinking about
legislation that would require automatic disclosure.

Stephen F. Lynch, D-Mass. said at a Federal Workforce, U.S. Postal Service
and the Census Subcommittee hearing on Wednesday that he was “disappointed”
with the Postal Service’s response, arguing employees should have been
notified earlier.

Employees should be notified as soon as it’s known that personally
identifiable information has been compromised, Lynch said at the hearing.

Under the Postal Service’s plan, a U.S. government agency could have Social
Security numbers of all its employees compromised, and it decides based on
its own interests when they’ll be notified, he said.

“That doesn’t work,” he said.

“We gotta figure something out,” Lynch said in questioning Randy Miskanic,
vice president of the U.S. Postal Service’s Secure Digital Solutions group.
“Maybe it’s legislatively we need… mandate this, but you have to be more
forthcoming with the people that you’re supposed to be protecting than you
have been in this case.”

As a consumer, if someone’s accessed his Social Security Number the best
defense is knowing about it so he can do things like monitor credit card
activity, he said.

“But if I don’t have that information, I’m defenseless,” he said.

Lynch later told Technocrat that the legislation he was thinking about
would require automatic disclosure and an early warning system in
connection with breaches of personally identifiable information.

Miskanic said that on Sept. 11 the Postal Service only had information that
four servers out of several hundred work stations had “potentially
malicious code.” To adequately investigate they had to learn the
sophistication of the actor, he said. It then became clear that data had
been compromised, but they needed to recreate fragments of data, he said.
It was Nov. 4, and not before then, that they confirmed that information
had left the Postal Service network, he said.

In his testimony he also said it was critical that the hacker not know they
were being watched.

“Any premature leak about our remediation steps might have caused this
adversary to cover their tracks or take countermeasures that might have
further harmed our network,” he said.

Between Nov. 8 and 9, the Postal Service took remediation steps and on Nov.
10 they notified those affected, he said in his testimony, pointing out
that the notification happened a week after they confirmed data had been
stolen.

“To date, we have seen no evidence that the compromised employee data has
been used for malicious purposes – such as identity theft,” he said.

Ranking Democrat Elijah E. Cummings, D-Md., said the Postal Service was
transparent, giving classified briefings to the panel in October and early
November and that Miskanic’s testimony detailed the Postal Service’s
response. None of the private companies that have been breached this year
voluntarily notified the panel, he said.

Some additional information about the breach: the Postal Service is still
processing evidence, and there’s the possibility of “additional
compromise,” specifically to some workers compensation files, Miskanic said.

Also, 2.9 million records of customers who contacted the Postal Service
Customer Care Center were also compromised. But this didn’t include
sensitive information, rather, it was names, addresses, and phone numbers
if customers left that information, according to Miskanic.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!