Postal Service Used Apps That Had ‘Catastrophic’ Vulnerabilities for Years

The USPS Office of Inspector General found that the Postal Service was using several applications laded with vulnerabilities that could have led to a hack with a potential financial impact of over $1 billion.
September 11, 2020, 1:00pm
usps-computer
Image: Smith Collection/Gado/Getty Images

For years, the United States Postal Service used several applications that had "catastrophic" bugs that could have allowed hackers to access "sensitive data," according to a memorandum sent by the USPS Office of Inspector General earlier this year.

The memorandum, sent on July 27, identified "significant vulnerabilities" in six applications—four of which were defined "sensitive"—used in the USPS production environment for seven years. The Office of Inspector General wrote in the memo that they found 12 "common, well-known vulnerabilities that have been present for three years that could be exploited by an attacker utilizing publicly available methods"—in other words, unpatched bugs that hackers already know how to use to break into systems. 

These flaws were labeled as "catastrophic" by the USPS' own Corporate Information Security Office, the department that is tasked with securing the service's cybersecurity. These vulnerabilities, the memo concludes, could have led to a potential financial impact of over $1 billion. 

Screen Shot 2020-08-19 at 4.50.26 PM.png

An excerpt of the memorandum titled: "Management Alert – Risks Associated with Information Technology Applications, dated July 27, 2020.

The memo urged the USPS to review the vulnerable applications and fix them by July 31. This week, a USPS spokesperson said in an emailed statement that "the vulnerabilities identified in this report were found, scoped and addressed by the Postal Service. These applications are now addressed.”

The specific affected applications and flaws were redacted in the memo. A FOIA request filed by Motherboard in an attempt to identify the vulnerable applications was denied on grounds that the USPS is exempt from disclosing information related to software created by the Postal Service. 

Do you work in the USPS IT department, did you used to, or do you know anything else about it? We'd love to hear from you. Using a non-work phone or computer, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, on Wickr at lorenzofb, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com.

There's no indication in the memo that hackers exploited these vulnerabilities. The memo simply said that it could have happened. 

It would not have been the first time. In 2014, hackers broke into USPS systems and stole Social Security numbers and other personal data of 750,000 employees and retirees, as well as data of 2.9 million customers. In 2018, a security researcher found that a USPS website exposed the data of 60 million users, according to a report by security journalist Brian Krebs

Aaron Gordon contributed reporting.