BreachExchange mailing list archives
Lynch, Unhappy With Postal Service Data Breach Response, Mulls Legislation
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 19 Nov 2014 17:32:41 -0700
http://blogs.rollcall.com/technocrat/lynch-mulling-legislation-after-postal-service-data-breach/?dcz= After a data breach affecting roughly 800,000 U.S. Postal Service employees was made public earlier this month, the ranking Democrat on a House Oversight & Government Affairs subcommittee signaled he was thinking about legislation that would require automatic disclosure. Stephen F. Lynch, D-Mass. said at a Federal Workforce, U.S. Postal Service and the Census Subcommittee hearing on Wednesday that he was “disappointed” with the Postal Service’s response, arguing employees should have been notified earlier. Employees should be notified as soon as it’s known that personally identifiable information has been compromised, Lynch said at the hearing. Under the Postal Service’s plan, a U.S. government agency could have Social Security numbers of all its employees compromised, and it decides based on its own interests when they’ll be notified, he said. “That doesn’t work,” he said. “We gotta figure something out,” Lynch said in questioning Randy Miskanic, vice president of the U.S. Postal Service’s Secure Digital Solutions group. “Maybe it’s legislatively we need… mandate this, but you have to be more forthcoming with the people that you’re supposed to be protecting than you have been in this case.” As a consumer, if someone’s accessed his Social Security Number the best defense is knowing about it so he can do things like monitor credit card activity, he said. “But if I don’t have that information, I’m defenseless,” he said. Lynch later told Technocrat that the legislation he was thinking about would require automatic disclosure and an early warning system in connection with breaches of personally identifiable information. Miskanic said that on Sept. 11 the Postal Service only had information that four servers out of several hundred work stations had “potentially malicious code.” To adequately investigate they had to learn the sophistication of the actor, he said. It then became clear that data had been compromised, but they needed to recreate fragments of data, he said. It was Nov. 4, and not before then, that they confirmed that information had left the Postal Service network, he said. In his testimony he also said it was critical that the hacker not know they were being watched. “Any premature leak about our remediation steps might have caused this adversary to cover their tracks or take countermeasures that might have further harmed our network,” he said. Between Nov. 8 and 9, the Postal Service took remediation steps and on Nov. 10 they notified those affected, he said in his testimony, pointing out that the notification happened a week after they confirmed data had been stolen. “To date, we have seen no evidence that the compromised employee data has been used for malicious purposes – such as identity theft,” he said. Ranking Democrat Elijah E. Cummings, D-Md., said the Postal Service was transparent, giving classified briefings to the panel in October and early November and that Miskanic’s testimony detailed the Postal Service’s response. None of the private companies that have been breached this year voluntarily notified the panel, he said. Some additional information about the breach: the Postal Service is still processing evidence, and there’s the possibility of “additional compromise,” specifically to some workers compensation files, Miskanic said. Also, 2.9 million records of customers who contacted the Postal Service Customer Care Center were also compromised. But this didn’t include sensitive information, rather, it was names, addresses, and phone numbers if customers left that information, according to Miskanic.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Lynch, Unhappy With Postal Service Data Breach Response, Mulls Legislation Audrey McNeil (Nov 26)