U.S. Postal Service Hacked: What to Do Now

News
By published

U.S. Postal Service employees had their personal data, including Social Security numbers, stolen. If you're among them, here's what to do.

The United States Postal Service's (USPS) internal network has been compromised, and now the Social Security numbers and other personal information of its 800,000 employees have been compromised, including those of the postmaster general himself. Neither customer information nor credit-card data was stolen.

The breach was first discovered in September, and Chinese government-sponsored hackers are suspected of being responsible, officials told the Washington Post. The FBI is still investigating; meanwhile, if you're a U.S. Postal Service employee, follow these steps to safeguard your identity in the wake of this data breach.

MORE: How to Survive a Data Breach

It appears the USPS breach lasted approximately eight months before it was discovered, and stolen information employees' names, birth dates, addresses, Social Security numbers and more. Yet despite the wealth of personal data involved, no attempts to use any of it have been reported. Whoever carried out the attack may not be interested in the usual money-making approaches, such as identity theft or credit-card fraud, opening the possibility that this was a state-sponsored attack.

"The recent breach at USPS reinforces that data is the new currency and attackers are going after rich veins of private information, whether it's employee or customer data," said Eric Chiu, president and co-founder of Mountain View, California-based cloud security company HyTrust.

Nevertheless, because Social Security numbers are involved, all affected USPS personnel should consider this compromise as putting them at great risk of identity theft.

USPS employees should first contact the three major U.S. credit-reporting agencies — Experian, Equifax and TransUnion — and request a free 90-day credit alert. Any activity on a person's file will be forwarded to the individual concerned.  Credit alerts can be renewed every 90 days, indefinitely. (Each agency gives any U.S. resident one free credit report per year, of which everyone should take advantage.)

Next, contact your bank or other payment-card issuer, such as American Express, and alert the issuers that you may be at a high risk of payment-card fraud. (Payment-card data was not stolen, but the information required to open a new card account was.)

You can also request that the bank contact you immediately if it detects suspicious activity on your accounts. Meanwhile, keep a close eye on your accounts yourself. The sooner you report any fraud, the less likely you are to be liable for it.

The USPS breach could be merely Stage One of a larger attack, experts warn.

For example, the personal information stolen could help traditional spies operating inside the U.S., Steven Chabinsky of Irvine, California-based security company CrowdStrike told the Washington Post.

"Having information about real live people could help them with on-the-ground operations," Chabinsky said.

More likely, however, is that postal workers become the focus of email-borne spyware designed to break into networks — a method used to devastating effect in 2011 by Chinese spies who stole encryption keys from RSA Security.

"It seems this particular incident revealed information on individuals that could lead to targeted spear-phishing attacks towards USPS employees," said Dan Waddell, director of government affairs at the International Information Systems Security Certification Consortium, Inc., a Palm Harbor, Florida-based cybersecurity nonprofit.

USPS employees should be on the lookout for any strange or suspicious emails. These may be traditional phishing attempts, in which attackers try to get people to reveal their own personal information by tricking them with official-looking emails or websites. 

Finally, make sure you have a strong antivirus program running on your computers, smartphones and tablets. It will help detect any targeted malware, or compromised websites, that may try to infect your devices.

Email jscharr@tomsguide.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, onFacebook and on Google+.

See more Computing News
TOPICS
Jill Scharr

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
AI Mode of google search
Google’s making it easier to start new AI Mode searches — here’s how
Gemini logo on smartphone
Google Gemini Gems now available to all users without a subscription
DeepSeek login in page displayed on smartphone
DeepSeek R1 just got even smarter with a new upgrade — here's what's changed
Galaxy S25 Ultra from the back
Samsung Galaxy S26 Ultra leak claims a massive upgrade is coming to all three cameras
CAD renders of the Google Pixel 10
Pixel 10 could include a repurposed ‘Pixie’ assistant — but what actually happened?
Galaxy S25 Edge dummy unit from side angle
Samsung Galaxy S25 Edge design just shown off on video from every angle with seemingly accurate dummies
More about online security
23andME box

23andMe has declared bankruptcy — here's how to delete your data now

A man filing his taxes electronically on a laptop

AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
Lululemon new year deals

Forget Amazon’s Big Spring Sale — I’m shopping Lululemon apparel from $9 in the ‘We Made Too Much’ section
See more latest
Most Popular
DeepSeek login in page displayed on smartphone
DeepSeek R1 just got even smarter with a new upgrade — here's what's changed
AI Mode of google search
Google’s making it easier to start new AI Mode searches — here’s how
Gemini logo on smartphone
Google Gemini Gems now available to all users without a subscription
Galaxy S25 Ultra from the back
Samsung Galaxy S26 Ultra leak claims a massive upgrade is coming to all three cameras
(L-R) Ambika Mod as Emma Morley and Leo Woodall as Dexter Mayhew in One Day on Netflix
5 Netflix shows I wish I could erase from my memory just to relive them again
Artificial intelligence concept image
ChatGPT, Gemini and Claude all failed to solve a simple test that humans are acing
Galaxy S25 Edge dummy unit from side angle
Samsung Galaxy S25 Edge design just shown off on video from every angle with seemingly accurate dummies
CAD renders of the Google Pixel 10
Pixel 10 could include a repurposed ‘Pixie’ assistant — but what actually happened?
iOS 19 logo on an iPhone
iOS 19 redesign mockups emerge — but not everyone is convinced
ChatGPT advanced Voice Mode
ChatGPT's Advanced Voice Mode just got a free upgrade — here's what's new