Hackers successfully breach US Postal Service

The federal government is, without a doubt, one of the most tempting targets for countless hackers and other cybercriminals. Federal agencies possess a huge trove of sensitive information that can potentially be leveraged for a wide range of illicit purposes if stolen or exposed. Federal IT leaders, well-aware of this fact, understand that cybersecurity must be a priority. Unfortunately, though, their data protection efforts are not always sufficient.

The fallibility of federal cybersecurity efforts was most recently highlighted by a cyberattack on the U.S. Postal Service. As the result of this attack, hundreds of thousands of employees' personal data may have been exposed, along with a large amount of customer information.

A major breach
According to officials, the data breach was first detected in September, The Washington Post reported. More than 800,000 federal employees' personal information was compromised in the attack. This information includes names, Social Security numbers, addresses, dates of birth and employment dates.

In a statement, the Postal Service described the breach as "limited in scope" and confirmed that all operations are continuing to function normally. The FBI is investigating the intrusion.

In addition to employee data, customer information was likely also exposed. Specifically, the hackers gained access to data collected during phone or email interactions with the Postal Service Customer Care Center between January and mid-August, according to Yahoo! News.

"It is an unfortunate fact of life these days that every organization connected to the Internet is a constant target for cyber intrusion activity," said Postmaster General Patrick Donahoe in a statement. "The United States Postal Service is no different. Fortunately, we have seen no evidence of malicious use of the compromised data and we are taking steps to help our employees protect against any potential misuse of their data."

State-sponsored possibilities
Investigators declined to speculate as to who may be responsible for this cyberattack. However, some observers argued there is reason to believe that Chinese state-sponsored hackers are to blame. According to USPS official, the cyberattackers used sophisticated techniques and did not seem to be concerned with simple identity theft or fraud. This suggests that a state-sponsored attack is a more likely explanation.

As The Washington Post noted, China is suspected of having been involved in a number of recent cyberattacks on federal agencies, although Chinese officials have consistently denied such allegations. Speaking to the news source, James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, argued that the Postal Service is a feasible target for China-sponsored hackers. 

"They're just looking for big pots of data on government employees," Lewis said, the news source reported. "For the Chinese, this is probably a way of building their inventory on U.S. persons for counterintelligence and recruitment purpose."

George Kurtz, chief executive of a cybersecurity firm, argued that the consumer information may be even more valuable for Chinese hackers.

"The U.S. Post Office moves billions of letters each year and all of that is captured digitally," Kurtz told Reuters. "The information flow of where letters and packages and correspondence are going and who is talking to whom is very interesting to them."

Improving defenses
Whether the attack was the work of state-sponsored hackers or especially sophisticated cybercriminals, the incident serves as further evidence that the U.S. government needs to significantly improve its cybersecurity operations. Such an effort should include both the implementation of superior tools, such as advanced firewalls and anti-malware programs, and training for federal employees. After all, even the most sophisticated cybersecurity tools are vulnerable if workers engage in risky behavior. Training and guidance can help reduce the risk that insiders will take action that opens the agency up to opportunistic cyberattackers.