Skip to main content

U.S. Postal Service Hacked: What to Do Now

The United States Postal Service's (USPS) internal network has been compromised, and now the Social Security numbers and other personal information of its 800,000 employees have been compromised, including those of the postmaster general himself. Neither customer information nor credit-card data was stolen.

The breach was first discovered in September, and Chinese government-sponsored hackers are suspected of being responsible, officials told the Washington Post. The FBI is still investigating; meanwhile, if you're a U.S. Postal Service employee, follow these steps to safeguard your identity in the wake of this data breach.

MORE: How to Survive a Data Breach

It appears the USPS breach lasted approximately eight months before it was discovered, and stolen information employees' names, birth dates, addresses, Social Security numbers and more. Yet despite the wealth of personal data involved, no attempts to use any of it have been reported. Whoever carried out the attack may not be interested in the usual money-making approaches, such as identity theft or credit-card fraud, opening the possibility that this was a state-sponsored attack.

"The recent breach at USPS reinforces that data is the new currency and attackers are going after rich veins of private information, whether it's employee or customer data," said Eric Chiu, president and co-founder of Mountain View, California-based cloud security company HyTrust.

Nevertheless, because Social Security numbers are involved, all affected USPS personnel should consider this compromise as putting them at great risk of identity theft.

USPS employees should first contact the three major U.S. credit-reporting agencies — Experian, Equifax and TransUnion — and request a free 90-day credit alert. Any activity on a person's file will be forwarded to the individual concerned.  Credit alerts can be renewed every 90 days, indefinitely. (Each agency gives any U.S. resident one free credit report per year, of which everyone should take advantage.)

Next, contact your bank or other payment-card issuer, such as American Express, and alert the issuers that you may be at a high risk of payment-card fraud. (Payment-card data was not stolen, but the information required to open a new card account was.)

You can also request that the bank contact you immediately if it detects suspicious activity on your accounts. Meanwhile, keep a close eye on your accounts yourself. The sooner you report any fraud, the less likely you are to be liable for it.

The USPS breach could be merely Stage One of a larger attack, experts warn.

For example, the personal information stolen could help traditional spies operating inside the U.S., Steven Chabinsky of Irvine, California-based security company CrowdStrike told the Washington Post.

"Having information about real live people could help them with on-the-ground operations," Chabinsky said.

More likely, however, is that postal workers become the focus of email-borne spyware designed to break into networks — a method used to devastating effect in 2011 by Chinese spies who stole encryption keys from RSA Security.

"It seems this particular incident revealed information on individuals that could lead to targeted spear-phishing attacks towards USPS employees," said Dan Waddell, director of government affairs at the International Information Systems Security Certification Consortium, Inc., a Palm Harbor, Florida-based cybersecurity nonprofit.

USPS employees should be on the lookout for any strange or suspicious emails. These may be traditional phishing attempts, in which attackers try to get people to reveal their own personal information by tricking them with official-looking emails or websites. 

Finally, make sure you have a strong antivirus program running on your computers, smartphones and tablets. It will help detect any targeted malware, or compromised websites, that may try to infect your devices.

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, onFacebook and on Google+.