WASHINGTON (Reuters) - The U.S. Postal Service was the victim of a cyber attack that may have compromised the personal information of more than 800,000 employees, as well as data on customers who contacted its call center during the first eight months of this year.
Employee data may include names, dates of birth, Social Security numbers, addresses, beginning and end dates of employment and emergency contact information, the Postal Service said on Monday.
“The intrusion is limited in scope and all operations of the Postal Service are functioning normally,” USPS spokesman David Partenheimer said in a statement.
The intrusion also may have compromised data on people who contacted the Postal Service Customer Care Center by telephone or email from January through Aug. 16, he said.
Partenheimer said the attack was carried out by a “sophisticated actor” not interested in identity theft or credit card fraud.
Cybersecurity experts said it was too soon to know who was behind the attack but agreed the Postal Service was a rich target.
“There’s a lot of information there and it has great value,” to nation-states like China or cybercriminals in Russia,” said George Kurtz, chief executive of cybersecurity firm CrowdStrike.
“The U.S. Post Office moves billions of letters each year and all of that is captured digitally,” Kurtz told Reuters. “The information flow of where letters and packages and correspondence are going and who is talking to whom is very interesting to them.”
The Postal Service said it would pay for employees to get credit monitoring services for one year. The breach did not affect credit card data from retail or online services including Click-N-Ship, the Postal Store, PostalOne! or change of address services, it said.
Employee data breaches often come ahead of a wider attack.
Edward Ferrara, vice president at Forrester Research, said the data could be used to launch secondary phishing attacks or to gain information about government cyber defenses.
The FBI is leading the investigation. A bureau spokesman declined to provide details.
The Postal Service breach follows a cyber attack reported in August at a firm that performs background checks for U.S. government employees, US Investigations Services (USIS), which compromised the data of at least 25,000 workers.
U.S. Representative Elijah Cummings asked Postmaster General Patrick Donahoe in a letter Monday for more information on the attack.
“The increased frequency and sophistication of cyber-attacks upon both public and private entities highlights the need for greater collaboration to improve data security,” wrote Cummings, the senior Democrat on the House of Representatives Oversight and Government Reform Committee.
Editing by Susan Heavey, Ros Krasny and Bernadette Baum