A few weeks ago the United States Postal Service (USPS) patched up a vulnerability that has been revealing the details of sixty million people, predominantly US residents, over the last year. About a year ago an anonymous cybersecurity researcher tipped off the Post Office about the vulnerability, but USPS failed to address the issue. After a long wait, the cybersecurity expert had no other choice but to inform the media about the problem hoping that public attention would prompt a reaction from the independent agency of the United States government. As soon as the security flaw became public, the Postal Service patched the vulnerability.
The cybersecurity flow affected the personal details of people who have signed up for USPS’ Informed Visibility service. As you might already know, Informed Delivery is a service that provides end-to-end mail tracking information for letter and flat pieces, bundles, handling units, and containers. The API exploit enabled anyone with basic IT knowledge and a username and a password to export information about other users. This includes private information such as usernames, account numbers, physical addresses, email addresses, phone numbers, authorized users and additional information. Currently, there is no evidence confirming that sensitive information such as account passwords, banking details, or social security numbers may have been exposed.
In a statement to the media, Postal Service media representative said that currently, USPS has no information that this security flaw was ever used for criminal purposes but are continuing the investigation. Their goal is to ensure that anyone who might have sought to access their systems inappropriately is pursued to the fullest extent of the law. On a question why USPS took a whole year to deal with the reported issue, USPS spokesperson said they currently do not have evidence that the cybersecurity expert reached out to them in 2017.
USPS has been under fire in the past too; the independent government agency exposed personal details of almost all USPS employees in a hack back in 2014. The hack included workers’ compensation records of nearly 500,000 people and approximately 3 million customer-inquiry records. The current 2018 is not going well either, apart from being constantly dragged in the fight between President Trump and Amazon’s Jeff Bezos, in August the U.S. Postal Service had to apologize to a Democratic congressional candidate and a former CIA operative Abigail Spanberger for accidentally releasing her records to a Republican super PAC.