NLRB issues complaint against USPS over handling of massive data breach

ALEXANDRIA, Va.–(BUSINESS WIRE)–The National Labor Relations Board (NLRB) has issued a Complaint against the Postal Service alleging that it violated federal labor law by failing to bargain with the National Rural Letter Carriers’ Association (NRLCA) and provide information to the NRLCA concerning last year’s massive Postal Service data breach. The Complaint, issued on March 31, stems from an unfair labor practice charge filed by the NRLCA on November 19, 2014. Continue reading

USPS data breach compromised some workers health information

Network intruders compromised health information on current and former U.S. Postal Service employees who filed for workers’ compensation, USPS officials say.

The files were accessed during a previously reported September cyber intrusion that netted the Social Security numbers of about 800,000 USPS employees. Details of the health data breach are just now being revealed for the first time.

The agency does not face health data security fines or Health and Human Services Department breach notification violations, because the data was not part of an insurance plan.

About 485,000 employees, former employees and retirees whose medical details were potentially exposed received a notification letter last month, USPS spokesman David Partenheimer said.

The information potentially compromised was stored in "a file relating to injury compensation claims," USPS Chief Human Resources Officer Jeffrey Williamson said in the letter dated Dec. 10. "In addition some of your medical information” associated with the claims may have been breached.

Read more: Medical File Hack Affected Nearly Half a Million Postal Workers – Nextgov.com.

USPS cyber intrusion update

From USPS News Link:

In a new video, CHRO Jeff Williamson updates employees on the recent cyber intrusion into some USPS information systems.

The CHRO reminds employees they recently received an activation code by mail for a credit-monitoring service that USPS is offering free of charge for one year. “If you have not already activated the service, I encourage you to do so,” he says.

Employees who have not received a letter should contact the HR Shared Service Center to have a replacement sent.

Additionally, the CHRO updates employees on a possible compromise into an injury compensation file, which USPS reported Nov. 10. “We cannot confirm the file was removed from the Postal Service network, but we cannot rule it out,” he says.

Employees whose information was contained in this file will receive a letter that identifies the data that may have been compromised. These letters were expected to be delivered by Dec. 19.

As the video concludes, the CHRO says the Postal Service will keep employees informed about its work to strengthen security. He also thanks employees for their patience and support.

“It is a testament to your commitment to serving the American public that this incident has not distracted you from delivering for our customers during our most important season,” Williamson says.

Medical and bank records of USPS workers comp employees may have been compromised

From the Mail Handlers Union:

December 18, 2014 – In a new development on the earlier data breach at the Postal Service, USPS has now sent individual letters to another group of employees who may have had personal information compromised.  USPS informed us that a large number of Workers Compensation records were “possibly” compromised, in some cases including not only personal identifying information (such as social security number), but certain medical information and bank routing information as well.  Further, these types of records go back many years, as opposed to the earlier reports related to records back as far as May 2012.

All affected employees and former employees should begin receiving letters this week from the Postal Service, alerting them to this possible breach, and recommending actions they should take to protect themselves.

If you are not sure whether your OWCP claim is one of those affected, or if you wish to speak with someone directly about your situation, you are encouraged to contact the USPS Human Resources Shared Service Center 1-877-477-3273 and choose option 5 (option 1 for TDD/TTY), Monday through Friday from 7 a.m. to 8:30 p.m. eastern time.

In an on-line story posted on our web site on November 19, 2014, we provided links to some helpful web sites that provide more information on data breaches, and how to protect yourself against adverse consequences.  In addition to credit monitoring, some of these sites suggest that individuals consider protecting themselves against “existing account fraud” by placing a fraud alert, a freeze, or both on their credit report.  In many states, victims of a data breach can freeze their credit for free, but be aware that such a freeze may be inconvenient if you are trying to obtain credit, such as applying for a new credit card, buying or renting a place to live, etc.  We encourage you to review this information carefully to decide how best to protect yourself going forward, as the NPMHU National Office continues to do everything in its power to address this breach, and to prevent future breaches that may affect employees, retirees, and others at the Postal Service.
Union Notified of New Developments in USPS Data Breach – National Postal Mail Handlers Union.

APWU: USPS data breach was worse than originally thought

Statement from APWU President Mark Dimondstein :

apwulogo11/20/2014New revelations about the security breach in the Postal Service’s data systems are raising additional concerns about this very troubling incident. The APWU remains fully committed to protecting the rights of our members and demanding information from the USPS about what management knew and when they knew it.

Unfortunately, it appears the breach was worse than originally thought.  Apparently, information regarding OWCP records that were shared with the Department of Labor exposed medical records, bank account and routing information for tens of thousands of employees and retirees. The Postal Service plans to issue follow-up letters to those impacted by the latest findings shortly. Continue reading

Timeline: How the Postal Service Data Breach Went Down

U.S. Postal Service officials are revealing more about the cyber intrusion at the agency that exposed the personal data of about 800,000 USPS employees.

Testifying before Congress Wednesday, Randy Miskanic, incident commander on the case and the USPS secure digital solutions vice president, laid out a nearly day-by-day timeline of the incident — from the time the Department of Homeland Security first notified the agency of suspicious network activity to when postal officials first notified employees of the breach nearly two months later.

Read more: Timeline: How the Postal Service Data Breach Went Down – Nextgov.com.

Lynch tells USPS computer security chief: “The secret squirrel stuff… that doesn’t fly”

At today’s House committee hearing on USPS data security and mail surveillance, USPS computer security czar Randy Miskanic told lawmakers that the USPS waited for two months to tell employees their data had been stolen because doing so sooner might have tipped off the hackers.

Congressman Stephen Lynch was not impressed:

“The secret squirrel stuff — we have to figure out how sophisticated these people were and what information they’ve got — that doesn’t fly,” said Stephen Lynch, D-Mass., ranking Democrat on the House Oversight and Government Reform’s subcommittee on the federal workforce, which held the hearing.

Legislation perhaps should be introduced "to make sure you cough up that information,” Lynch suggested.

"The way this should work is, as soon you know that a file has been compromised and it contains personally identifiable information — Social Security numbers — that employee should be notified," Lynch said. "If we go with your plan, a U.S. government agency could have the Social Security numbers for all its employees compromised and you’ll decide based on your own interests when the employees will be notified.”

Read more: Hackers Possibly Copied Postal Employee Pay Records – Nextgov.com.

Video: Examining Data Security at the United States Postal Service

Video of today’s House committee hearing on USPS data security:

Written testimony:

Vice President of Secure Digital Solutions
United States Postal Service
Chief Postal Inspector
United States Postal Service Inspection Service
Deputy Inspector General
United States Postal Service Office of Inspector General
Visiting Fellow, Watson Institute for International Studies
Brown University
Narcotic Enforcement Division
Prince George’s County Police Department

Examining Data Security at the United States Postal Service | Committee on Oversight & Government Reform.

Postal Service ‘functioning normally’ after cyber breach, official says in testimony for hearing

The U.S. Postal Service is “functioning normally” after a recent cyber breach that compromised customer and employee data, and the agency has yet to find evidence that hackers used the information for identity theft, according to the agency’s head of digital security.

Randy Miskanic, USPS vice president for cybersecurity, called the attack “very sophisticated” but “limited in scope” in prepared testimony for the House subcommittee on the Federal Workforce, U.S. Postal Service and the Census. The congressional hearing on the breach is set for 10:30 a.m. Wednesday.

A review after the recent breach found that the various USPS divisions do not always follow the organization’s information-security policies and that critical systems were not properly segregated from the general network, Miskanic said in his prepared testimony.

Read more: Postal Service ‘functioning normally’ after cyber breach, official says in testimony for hearing – The Washington Post.

NALC files NLRB charge over USPS response to hacking

From the National Association of Letter Carriers:

NALC-LOGOAs previously reported, NALC is continuing to monitor the Postal Service’s response to the cyber breach that compromised a Postal Service computer file containing employees’ personal and employment information. NALC has filed a charge with the National Labor Relations Board protesting the Postal Service’s failure to provide NALC advance notice of, and an opportunity to bargain over, the Postal Service’s response to this breach. Pending resolution of this dispute, individual letter carriers may elect to enroll in the credit monitoring service offered by the Postal Service, with the knowledge that NALC may seek different or additional remedies.