The inspector general warned exposure could “have a serious negative impact to the Postal Service brand.”
An internal watchdog at the U.S. Postal Service revealed a significant security gap in one of the organization’s systems, but officials wouldn’t publicly disclose any information about the vulnerability.
The Postal Service Inspector General inadvertently uncovered the bug during an audit to determine whether the Postal Service had addressed a separate IT security flaw, auditors said in a heavily redacted management alert.
The latest vulnerability “poses a security weakness that warrants management’s immediate attention,” auditors said. The IG notified the organization’s top cybersecurity officials in early April.
Though nearly all details about the vulnerability were stricken from the public version of the alert, it’s clear the flaw presented a serious cyber threat to the Postal Service.
“Postal Service policy requires there be security controls sufficient to satisfy baseline security requirements in all information resources,” auditors said. “Additional security is required to adequately protect the [redacted]. Exposure of this [redacted] could have a serious negative impact to the Postal Service brand.”
“We are currently working to determine the number of Postal Service employees and contractors who have access to [redacted] and how it may have been used,” they added.
The IG made four recommendations to USPS address the issue and Postal Service officials agreed with all of them. In one, auditors advised the chief information security officer to “determine if [redacted] was accessed or exported and, if so, implement incident response protocols.” USPS told auditors “no [redacted] were observed.”
“We are working closely with the OIG on ways to continuously maintain and protect the integrity of our systems,” a Postal Service spokesperson said in an email to Nextgov. Both The Postal Service and the IG declined to comment on the nature of the vulnerability and affected systems.
This isn’t the first time the Postal Service suffered cybersecurity troubles. In November, security researcher Brian Krebs uncovered a vulnerability in the Postal Service’s Informed Delivery program that left millions of people at risk of identity theft. Weeks later, Krebs revealed a separate bug in the organization’s main website that exposed personal details on more than 60 million users.