The U.S. Postal Service is expanding the use of its emergency records systems to cover ransomware attacks and other cybersecurity incidents.
The Emergency Management System used by USPS officials and other “officially designated individuals and agencies” to collaborate and coordinate in the face of a natural or manmade emergency, facilitate medical and fitness trainings, locate individuals caught up in an emergency, test individuals for exposure to hazards and provide information about disaster recovery programs and services.
Now, according to a Federal Register notice published Tuesday, USPS officials are updating a document that outlines the system’s use and purpose to include assisting officials “to prepare for, identify and respond to cybersecurity incidents aimed at or affecting the United States Federal Government or the Postal Service,” including ransomware incidents and the exploitation of computer vulnerabilities. The notice also adds a number of other new purposes for the system, including tracking COVID-19 vaccination status, medical evaluations and contact tracing for USPS employees, contractors and customers.
The Emergency Management System contains a host of valuable or personal data for USPS employees, contractors and their families. Among other data points, it contains the Social Security number or employee identification number, date of birth, home, work, and emergency contact information, duty location, work schedule and assigned emergency management devices for employees and contractors involved in emergency response. It will also include vaccination records and other medical tests around COVID-19 and other ongoing, pathogenic public health crises.
According to the updated notice, it may also include information about individuals “whose names have been provided to the Postal Service by government agencies or disaster relief organizations as a result of a disaster, which now includes cybersecurity incidents.”
USPS now considers it a routine use of the system to disclose these records to appropriate federal agencies in the event of a confirmed or suspected data breach, or when they determine there is “a risk of harm to individuals, the Postal Service (including its information systems, programs, and operations), the Federal Government, or national security.” It also permits the sharing of data between agencies when it is deemed necessary to assist the agency in its response to a breach.
The agency claims that paper and electronic records for the system are located in “controlled-access areas” and under supervision to limit access to authorized personnel. Contractors and licensees for the system are also subject to unannounced security audits.
System of Records Notices (SORN) provide the public with transparency around how agencies plan to use a particular software system, the types of data it collects or stores, for how long and which categories of people will be affected. They're also meant to outline potential negative outcomes from collecting or holding on to such data, both in terms of what the government may do with them and the impact if that data is leaked, exposed or compromised by malicious hackers.
The expansion will put reams of new personal and professional data around USPS employees and contractors (and potentially their families) into the federal information ecosystem. According to the USPS Inspector General, the agency suffered a “significant” data breach in 2014 that cost millions of dollars and resulted in the exposure of personal data for more than 800,000 current and former career and non-career employees. The incident led to the creation of a Corporate Information Security Office and a Cybersecurity Operations Center at USPS dedicated to detection and response to cybersecurity threats.
However, tests conducted by auditors of the agency’s identification and response capabilities in February and March 2020 found multiple failures by the CISO around detecting malicious activity on the USPS network, concluding that “active threats could go undetected, possibly leading to theft and modification of data or impact on the availability of critical systems.”
The report also found that the CISO hadn’t developed metrics to gauge the effectiveness of their incident response capabilities and that some cybersecurity incident response tickets detailing possible ongoing threats remained open for more than a year without any status updates.