Remember how your mother and I always use to say, “if it isn’t broken, don’t fit ix?” Well, about two years ago, the United States Postal Service (USPS) thought it was high-time to spice things up a bit. With the advent of powerhouse shipping companies like UPS (UPS), and FedEx (FDX), coupled with the invention of email, the USPS needed something sleek, something sexy to recapture the attention of American consumers and retired stamp collectors. Well, one thing led to another and USPS unveiled a service called “Informed Delivery,” which scans the outside of your mail and emails you images each morning before the mail is delivered. To loosely reference a quote from one of my favorite films, it was the mail service we deserved, but not the one we needed right then and there.
Two years after “Informed Delivery” was rolled out, an authentication weakness in a USPS application program interface, or API, resulted in the information of 60 million users being exposed, according to TechCrunch on Monday. The specific malfunctioning API was the USPS’ “Informed Visibility” which, according to the Postal Service, is designed to let businesses, advertisers and others “make better business decisions by providing them with access to near-real-time tracking data” for mail campaigns. Several media outlets reported that the security flaw from the “Informed Delivery” service lets any user in the network search and gather information on any of 60 million users, including email addresses, phone numbers, passwords, and more.
The hole in the USPS API was discovered by an anonymous researcher who allegedly reported the issue to the mail distribution department several times in the last year. It wasn’t until Brian Krebs, a cybersecurity expert and contributor for the Washington Post, pressed USPS answers that they commented on the data exposure:
“Computer networks are constantly under attack from criminals who try to exploit vulnerabilities to illegally obtain information. Similar to other companies, the Postal Service’s Information Security program uses industry best practices to constantly monitor our network for suspicious activity…
…Any information suggesting criminals have tried to exploit potential vulnerabilities in our network is taken very seriously. Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
–USPS Statement Responding to Data Breach
The U.S. Postal Service has had a more difficult year than most. Back in August, the USPS was held responsible for accidentally leaking an unredacted copy of a congressional candidate’s personal security file to a Republican super PAC. Abigail Spanberger was caucusing to be Virginia’s Democratic candidate for Congress when the Postal Service unintentionally released her federal security clearance application from before she became a CIA operative. According to a Fortune piece released at the time, the “SF86” form contained highly personal information about Spanberger, including her social security number and medical records. The Postal Service publicly admitted responsibility in a statement given to The New York Times. A USPS spokesperson said that “full responsibility for this unfortunate error” would be taken and “immediate steps” would be put in place to ensure that this would never happen again.
The super PAC accused of illegally acquiring Spanberger’s documents, affiliated with House Speaker Paul Ryan, claimed they attained the documents through a standard Freedom of Information Act (FOIA) request requesting information from the National Personnel Records Center, and continued to accuse Spanberger of only reacting because “official government documents showed a past employer she didn’t want voters to know about.” Fortune reported that representatives from the super PAC were referring to the fact that Spanberger once worked as a substitute teacher at an Islamic school in Virginia.
For countless generations, the U.S. Postal Service has served the integral purpose of connecting people via written correspondence and delivering of parcels/packages, but as the days of snail mail come to a close, I offer my same sentiments to the USPS, if it wasn’t broken, you had no business trying to fix it.