Postal Service left vulnerable IT applications unaddressed for years, inspector general finds

The "common, well-known vulnerabilities" could have been exploited by hackers using "publicly available methods,” the report found.
The United State Postal Service headquarters in Washington, D.C.

Officials at the U.S. Postal Service let multiple vulnerable applications languish on the agency’s IT network for years — flaws that could have been exploited by hackers to steal sensitive data, an inspector general audit has found.

The inspector general investigation, distributed to Postal Service leadership in July, faults IT officials at the agency for not keeping a slew of applications up to date. Six of the IT applications were left on the Postal Service network for up to seven years with things like incomplete certification and accreditation from technology executives, according to the IG memo.

A dozen vulnerabilities were deemed “catastrophic” by the USPS’s Corporate Information Security Office, the watchdog said, meaning they could have exposed the agency to big financial damages. “These are common, well-known vulnerabilities that have been present for three years that could be exploited by an attacker utilizing publicly available methods,” the memo reads.

“The vulnerabilities identified in this report were found, scoped and addressed by the Postal Service,” an agency spokesperson told CyberScoop. “These applications are now addressed.”


But before they were addressed, the inspector general report concluded, the Postal Service “did not completely evaluate the risks these vulnerable applications posed.”

Postal Service executives agreed with the audit’s findings and pledged to improve the agency’s cybersecurity. CyberScoop has not seen any evidence that the vulnerabilities have been exploited by hackers.

Vice News was first to report on the audit.

It is unclear which IT applications the inspector general’s office studied. That information is redacted in the report.

This is not the first time the Postal Service has struggled with IT security. It took the agency more than a year to fix a vulnerability in its website that allowed anyone with a USPS account to view the personal details of 60 million other users, journalist Brian Krebs reported in November 2018. The agency said at the time there was no indication that the vulnerability had been exploited.


Perhaps the biggest confirmed breach suffered by the Postal Service took place in September 2014, when hackers infiltrated the agency’s computer systems and compromised personal data on some 800,000 employees.

UPDATE, 09/11/20, 1:46 p.m. EDTThis story has been updated with a statement from the USPS. 

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts