The United States Postal Service (USPS) was scolded by members of a congressional subcommittee in a hearing over its response to the recent data breach that impacted its network and employees.
Members of the USPS testified before a House subcommittee Wednesday and were questioned over its response and notification time related to the incident which affected more than 800,000 USPS employees.
“I am very disappointed in the way you handled this…you have to be more forthcoming,” Rep. Stephen Lynch (D.-Mass.) told testifying members of the USPS.
The U.S Computer Emergency Readiness Team first detected the breach on Sept. 11 and alerted the USPS, however, it wasn't until Oct. 16 where it learned that data was indeed compromised. On November 4 it was confirmed that data was stolen, according to testimony by Randy Miskanic, vice president of secure digital solutions at the USPS.
Employee information compromised includes names, addresses, dates of birth, Social Security numbers, in addition to beginning and end dates of employment and emergency contact information.
USPS employees were notified of the incident on Nov. 10, nearly two months after it was first discovered, but by then news of the breach had already made headlines around the nation.
“Over the entire period it was necessary to understand the scope and the impact,” Miskanic said in response to questions over the delay in notifying affected individuals. “Once we learned on October 16 that there might have been some data taken, we needed to learn what that was and reconstruct it forensically. Over that period it was also very imperative that we initiated remediation and mitigation activity.”
Miskanic's explanation quickly prompted Lynch to respond to the notification tactics utilized by the USPS, which he believed put the employee data further at risk.
“The way this should work is, as soon as you know that a file has been compromised and it contains personally identifiable information…that employee should be notified,” Lynch said. “If we go with your plan, a U.S. government agency could have the Social Security numbers compromised and you'll decide based on your own interests, when the employee [information] has been stolen. That doesn't work for the American people.”
The American Postal Workers Union recently filed charges to the National Labor Relations Board against the USPS for failing to bargain with the group over the impact of the breach. They believe they should have been a part of the discussion on how to address the incident.