Postal Service cybersecurity still weak after September attack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.washingtonexaminer.com/postal-service-cybersecurity-still-weak-after-september-attack/article/2564179

Cybersecurity weaknesses still leave United States Postal Service employees
vulnerable to identity theft, even after a data breach last September
resulted in the theft of more than 800,000 workers' personal information.

Employees can expose sensitive information, accidentally or intentionally,
because they have unnecessary digital access to off-limits areas, according
to a Postal Service inspector general report released Monday. Also, the
Postal Service doesn't consistently test some components of its
cybersecurity.

"As a result, internal users could compromise sensitive employee, customer
and business information, which could lead to financial and legal
consequences and negatively affect the Postal Service brand," the report
said. Its digital protection systems "could operate more effectively to
prevent data loss from internal users within the Postal Service network."

The poor cybersecurity "could lead to leaked contract information or trade
secrets and identity theft," the report said.

Heavy redactions in the report make it difficult to tell exactly how postal
workers could expose such information.

Despite such heavy consequences, the Postal Service doesn't regularly
ensure its cybersecurity systems are efficient.

"There are no formal rules to ensure [data loss prevention] policies are
continuously reviewed, tested and updated, even though Postal Service
policy requires the protection of sensitive and sensitive-enhanced
information," the report said.

However, the Postal Service told investigators they "presented no direct
evidence of data loss in the report."

The inspector general retorted that "the overarching principle behind" the
estimated impact of the cybersecurity weaknesses "measures the amount of
risk associated with uncertain events" if Postal Service officials don't
make improvements.

The cybersecurity concerns remain despite a cyberattack in September 2014
that exposed more than 800,000 Postal Service employees' personal
information, including their names and Social Security numbers.

Postal workers were not informed of the breach until about a month after
the attack. Consequently, the National Labor Relations Board filed
complaints against the Postal Service in April.

The NLRB claimed that the Postal Service needed to bargain and share
information with its unions in a timely manner.

Also, the inspector general in 2013 reported 148 data-related issues from
2009 to 2012, including cybersecurity weaknesses.

"Limitations in the Postal Service's data governance program placed the
Postal Service at risk of potential vulnerabilities that could affect data
quality," the report said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!