“If we go with your plan, a U.S. government agency could have the Social Security numbers for all its employees compromised, and you’ll decide based on your own interest when the employees will be notified,” he said.
Randy Miskanic, the head of USPS digital security, testified that the agency did not verify that personal information had been stolen until Nov. 4, even though it realized on Sept. 11 that a potential breach had occurred.
The organization initiated a plan to “evict the adversary” from the network three days later, and it finally notified employees of the problem on Nov. 10.
The FBI and the Department of Homeland Security’s Computer Emergency Readiness Team had advised the Postal Service against revealing the breach too soon, saying such a move could trigger bolder actions from the hackers to sabotage the network, according to Miskanic.
“This valid threat of additional potential damage to the Postal Service and victims was deemed sufficient basis to delay notification and public announcement until after short-term remediation was accomplished,” the postal official said in written testimony for the subcommittee.
Lynch suggested he was not satisfied with the agency’s answers. “The way this should work is, as soon as you know that a file has been compromised and it contains personally identifiable information, Social Security numbers, that employee should be notified,” he said.
The Postal Service is providing its employees with free credit-monitoring services for one year because of the cyber intrusion.