BreachExchange mailing list archives
Postal Service cybersecurity still weak after September attack
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Fri, 8 May 2015 13:10:37 -0600
http://www.washingtonexaminer.com/postal-service-cybersecurity-still-weak-after-september-attack/article/2564179 Cybersecurity weaknesses still leave United States Postal Service employees vulnerable to identity theft, even after a data breach last September resulted in the theft of more than 800,000 workers' personal information. Employees can expose sensitive information, accidentally or intentionally, because they have unnecessary digital access to off-limits areas, according to a Postal Service inspector general report released Monday. Also, the Postal Service doesn't consistently test some components of its cybersecurity. "As a result, internal users could compromise sensitive employee, customer and business information, which could lead to financial and legal consequences and negatively affect the Postal Service brand," the report said. Its digital protection systems "could operate more effectively to prevent data loss from internal users within the Postal Service network." The poor cybersecurity "could lead to leaked contract information or trade secrets and identity theft," the report said. Heavy redactions in the report make it difficult to tell exactly how postal workers could expose such information. Despite such heavy consequences, the Postal Service doesn't regularly ensure its cybersecurity systems are efficient. "There are no formal rules to ensure [data loss prevention] policies are continuously reviewed, tested and updated, even though Postal Service policy requires the protection of sensitive and sensitive-enhanced information," the report said. However, the Postal Service told investigators they "presented no direct evidence of data loss in the report." The inspector general retorted that "the overarching principle behind" the estimated impact of the cybersecurity weaknesses "measures the amount of risk associated with uncertain events" if Postal Service officials don't make improvements. The cybersecurity concerns remain despite a cyberattack in September 2014 that exposed more than 800,000 Postal Service employees' personal information, including their names and Social Security numbers. Postal workers were not informed of the breach until about a month after the attack. Consequently, the National Labor Relations Board filed complaints against the Postal Service in April. The NLRB claimed that the Postal Service needed to bargain and share information with its unions in a timely manner. Also, the inspector general in 2013 reported 148 data-related issues from 2009 to 2012, including cybersecurity weaknesses. "Limitations in the Postal Service's data governance program placed the Postal Service at risk of potential vulnerabilities that could affect data quality," the report said.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Postal Service cybersecurity still weak after September attack Audrey McNeil (May 18)