Postal service

US Postal Service Emergency Records System to Expand to Support Ransomware and Breach Response

A fleet of US Postal Service vehicles parked in line. The US Postal Service is expanding the use of an emergency registration system to cover ransomware attacks and other cybersecurity incidents. (Photo credit: BrianBrownImages via Getty)

The US Postal Service is expanding the use of its emergency registration systems to cover ransomware attacks and other cybersecurity incidents.

The emergency management system used by USPS officials and other “officially designated persons and agencies” to collaborate and coordinate in the face of a natural or man-made emergency, facilitate medical and fitness trainings , locate people caught in an emergency, test people for risk exposure, and provide information about disaster recovery programs and services.

Now, according to a federal registry note Released on Tuesday, USPS officials are updating a document that describes the use and purpose of the system to include helping officials “prepare for, identify, and respond to cybersecurity incidents targeting or affecting the federal government of United States or the Postal Service”, including incidents of ransomware and the exploitation of computer vulnerabilities. The notice also adds a number of other new purposes for the system, including tracking COVID-19 vaccination status, medical assessments and contact tracing for employees, contractors and contractors. USPS customers.

The Emergency Management System contains a wealth of valuable or personal data for USPS employees, contractors, and their families. Among other data points, it contains social security number or employee identification number, date of birth, residence, work and emergency contact information, place of employment, work schedule, work and emergency management arrangements assigned to employees and contractors involved in emergency response. It will also include vaccination records and other medical tests around COVID-19 and other ongoing pathogenic public health crises.

According to the updated advisory, it may also include information about people “whose names have been provided to the Postal Service by government agencies or disaster relief organizations following a disaster, which now includes cybersecurity incidents”.

The USPS now considers it a common use of the system to release these records to the appropriate federal agencies in the event of a confirmed or suspected data breach, or when they determine that there is “a risk of harm to persons, the Postal Service (including its systems, programs, and operations information), the federal government, or national security, and allows inter-agency data sharing when deemed necessary to assist the agency in its response to a breach.

The agency says the system’s paper and electronic records are located in “access-controlled areas” and under surveillance to limit access to authorized personnel. System contractors and licensees are also subject to unannounced security audits.

System of Records Notices (SORNs) provide the public with transparency about how agencies plan to use a particular software system, what types of data it collects or stores, for how long, and what categories of people will be affected. They are also intended to describe the potential negative results of collecting or retaining this data, both in terms of what the government can do with it and the impact if this data is disclosed, exposed or compromised by third parties. malicious hackers.

The expansion will put tons of new personal and business data about USPS employees and contractors (and potentially their families) into the federal information ecosystem. According to the USPS Inspector General, the agency suffered a “significant” data breach in 2014 that cost millions of dollars and exposed the personal data of more than 800,000 current and former USPS employees. career and without career. The incident led to the creation of a Corporate Information Security Office and Cybersecurity Operations Center at the USPS dedicated to detecting and responding to cybersecurity threats.

However, tests carried out by auditors of the agency’s identification and response capabilities in February and March 2020 found multiple RSSI failures to detect malicious activity on the USPS network, concluding that “active threats may go undetected , potentially resulting in data theft and modification or impacting the availability of critical systems.

The report also revealed that the CISO had not developed metrics to assess the effectiveness of its incident response capabilities and that some cybersecurity incident response tickets detailing possible ongoing threats remained open for more than a month. one year without any status updates.