[BreachExchange] US Postal Service emergency records system will expand to support ransomware, breach response

[Terrell Byrd]

https://www.scmagazine.com/analysis/data-security/us-postal-service-emergency-records-system-to-cover-ransomware-data-breaches

The U.S. Postal Service is expanding the use of its emergency records
systems to cover ransomware attacks and other cybersecurity incidents.

The Emergency Management System used by USPS officials and other
“officially designated individuals and agencies” to collaborate and
coordinate in the face of a natural or manmade emergency, facilitate
medical and fitness trainings, locate individuals caught up in an
emergency, test individuals for exposure to hazards and provide information
about disaster recovery programs and services.

Now, according to a Federal Register notice published Tuesday, USPS
officials are updating a document that outlines the system’s use and
purpose to include assisting officials “to prepare for, identify and
respond to cybersecurity incidents aimed at or affecting the United States
Federal Government or the Postal Service,” including ransomware incidents
and the exploitation of computer vulnerabilities. The notice also adds a
number of other new purposes for the system, including tracking COVID-19
vaccination status, medical evaluations and contact tracing for USPS
employees, contractors and customers.

The Emergency Management System contains a host of valuable or personal
data for USPS employees, contractors and their families. Among other data
points, it contains the Social Security number or employee identification
number, date of birth, home, work, and emergency contact information, duty
location, work schedule and assigned emergency management devices for
employees and contractors involved in emergency response. It will also
include vaccination records and other medical tests around COVID-19 and
other ongoing, pathogenic public health crises.

According to the updated notice, it may also include information about
individuals “whose names have been provided to the Postal Service by
government agencies or disaster relief organizations as a result of a
disaster, which now includes cybersecurity incidents.”

USPS now considers it a routine use of the system to disclose these records
to appropriate federal agencies in the event of a confirmed or suspected
data breach, or when they determine there is “a risk of harm to
individuals, the Postal Service (including its information systems,
programs, and operations), the Federal Government, or national security.”
It also permits the sharing of data between agencies when it is deemed
necessary to assist the agency in its response to a breach.

The agency claims that paper and electronic records for the system are
located in “controlled-access areas” and under supervision to limit access
to authorized personnel. Contractors and licensees for the system are also
subject to unannounced security audits.

System of Records Notices (SORN) provide the public with transparency
around how agencies plan to use a particular software system, the types of
data it collects or stores, for how long and which categories of people
will be affected. They're also meant to outline potential negative outcomes
from collecting or holding on to such data, both in terms of what the
government may do with them and the impact if that data is leaked, exposed
or compromised by malicious hackers.

The expansion will put reams of new personal and professional data around
USPS employees and contractors (and potentially their families) into the
federal information ecosystem. According to the USPS Inspector General, the
agency suffered a “significant” data breach in 2014 that cost millions of
dollars and resulted in the exposure of personal data for more than 800,000
current and former career and non-career employees. The incident led to the
creation of a Corporate Information Security Office and a Cybersecurity
Operations Center at USPS dedicated to detection and response to
cybersecurity threats.

However, tests conducted by auditors of the agency’s identification and
response capabilities in February and March 2020 found multiple failures by
the CISO around detecting malicious activity on the USPS network,
concluding that “active threats could go undetected, possibly leading to
theft and modification of data or impact on the availability of critical
systems.”

The report also found that the CISO hadn’t developed metrics to gauge the
effectiveness of their incident response capabilities and that some
cybersecurity incident response tickets detailing possible ongoing threats
remained open for more than a year without any status updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220216/3de7b6fe/attachment.html>