For years, the United States Postal Service used several applications that had "catastrophic" bugs that could have allowed hackers to access "sensitive data," according to a memorandum sent by the USPS Office of Inspector General earlier this year.
The memorandum, sent on July 27, identified "significant vulnerabilities" in six applications—four of which were defined "sensitive"—used in the USPS production environment for seven years. The Office of Inspector General wrote in the memo that they found 12 "common, well-known vulnerabilities that have been present for three years that could be exploited by an attacker utilizing publicly available methods"—in other words, unpatched bugs that hackers already know how to use to break into systems.
These flaws were labeled as "catastrophic" by the USPS' own Corporate Information Security Office, the department that is tasked with securing the service's cybersecurity. These vulnerabilities, the memo concludes, could have led to a potential financial impact of over $1 billion.
The memo urged the USPS to review the vulnerable applications and fix them by July 31. This week, a USPS spokesperson said in an emailed statement that "the vulnerabilities identified in this report were found, scoped and addressed by the Postal Service. These applications are now addressed.”
The specific affected applications and flaws were redacted in the memo. A FOIA request filed by Motherboard in an attempt to identify the vulnerable applications was denied on grounds that the USPS is exempt from disclosing information related to software created by the Postal Service.
Do you work in the USPS IT department, did you used to, or do you know anything else about it? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at firstname.lastname@example.org, or email email@example.com.
There's no indication in the memo that hackers exploited these vulnerabilities. The memo simply said that it could have happened.
It would not have been the first time. In 2014, hackers broke into USPS systems and stole Social Security numbers and other personal data of 750,000 employees and retirees, as well as data of 2.9 million customers. In 2018, a security researcher found that a USPS website exposed the data of 60 million users, according to a report by security journalist Brian Krebs.
Aaron Gordon contributed reporting.