Many are questioning the U.S. Postal Service’s decision to wait several months to make public a breach of employees’ personal information, though the agency defended the delay as necessary to mitigate the fallout from the hack.
The American Postal Workers Union filed a complaint on Monday to the National Labor Relations Board for the Postal Service’s failure to adequately consult with the group over the security failure. APWU President Mark Dimondstein said USPS should have bargained with the union over the “impact of the security breach.”
“We are demanding information from the USPS about the extent of the breach -- both known and suspected -- and what postal management knew, when they knew it, and what they did, or failed to do to protect employee information.” He added the Postmaster General Patrick Donahoe only gave him a “courtesy call” on Sunday night, and did not engage the union leader in a discussion of how to deal with the problem.
The Postal Service knew about the breach since at least September, but said it could not notify employees about the incident -- which exposed up to 800,000 former and current employees’ names, dates of birth, Social Security numbers, physical addresses, employment start dates and termination dates, emergency contacts and other personal information -- earlier because it would have put the “remediation actions in jeopardy.”
While USPS claims none of the information has been used for “malicious activity,” management will offer employees one year of free credit monitoring through Equifax. Employees will be notified of their eligibility through a letter and will have 90 days to sign up, at which point they would be insured for up to $1 million against identify theft.
Sally Davidow, a spokeswoman for APWU, told Government Executive that decision was made “unilaterally,” and one year of insurance “may or may not be sufficient.”
“Other remedies may be required if employees suffer identity theft as a result of the breach,” Davidow said. APWU anticipates the charges field with NLRB will help alleviate those concerns.
Complaints over the notification delay weren’t just internal; several lawmakers also voiced disapproval of the Postal Service’s delayed announcement. Reps. Darrell Issa, R-Calif., the outgoing chairman of House Oversight and Government Reform Committee, and Blake Farenthold, R-Texas, chairman of the committee’s panel with postal oversight, said they were “deeply concerned” about the hack, and will push USPS for more information. Congress was notified of the data breach several weeks ago, but the Postal Service at that point deemed the matter classified.
Issa and Farenthold said their committee will be “seeking information about why the administration waited two months before making the news of this attack public and preventing victims from taking proactive measures to secure their own information. We have not been told why the agency no longer considers the information classified.”
In a message to employees, Donahoe defended the decision to not notify employees of the attack until Monday, but offered his “sincerest apologies” for the breach.
“On a personal note, I’d like to say how bad I feel that the whole organization has been victimized,” Donahoe said. “The Postal Service has put in a lot effort over the years to protect our computer systems and the bad guys haven’t been successful until now.”
Rep. Elijah Cummings, D-Md., the ranking member on the oversight committee, penned a letter to Donahoe asking for more details about the attack. He wants more information about the steps USPS has taken since the breach to improve its cybersecurity and the procedures it uses to ensure its third-party vendors and contractors maintain appropriate data security measures.
The Postal Service said it has already “identified the methods and locations” that hackers used to access their data systems and “devised a plan to close those access routes to our infrastructure to prevent future intrusions.” The agency promised additional security measures in the coming weeks.