Another Breach??

By Chad F. Walter

http://www.cnn.com/2014/11/10/politics/postal-service-security-breach/index.html

“The intrusion is limited in scope…”.

How can access to and possible theft of “personal identifying information of the 750,000 employees and retirees which includes birth dates, addresses and employment codes used in the Postal Service’s payroll systems”, plus 2.9 million customer records, be even remotely considered an intrusion of limited scope?

As we recently witnessed in the JPMorgan Chase breach, it’s pure marketing fodder.

In reality, this is huge in scope and, based on early reports, the information accessed and potentially stolen could have an unlimited impact on USPS employees and customers, for years to come. No, I don’t wish to see an outbreak of panic, but perhaps a little panic is required for IT security to be taken seriously.

The 2.9 million customer records that were apparently accessed contained names, addresses, phone numbers and emails.

I often argue that this information is far more valuable than bank account or credit card numbers. Account numbers can quickly be changed and monitored for investigative purposes. On the other hand, have you ever known someone to move, or change a phone number? Or even change their email because of a cyber breach? That personal information is exactly what is needed to launch massive social engineering campaigns beyond “My associate, the exiled former Nigerian President needs your help…”.

Such detailed, personal information has a shelf life lasting years beyond the initial breach.

It’s imperative to point out that there is also a legitimate market for such data. Consequently, these details are gold to legal list companies who either sell the list to sales organizations, or not-for-profits; even political campaigns. The criminals who stole this information have the potential to make quite a lot of money outside of the black and grey markets.