Postal Service Exposes 60 Million Records

David Williams

November 27, 2018

For Immediate Release
Contact: Grace Morgan
November 27, 2018

Washington, D.C. – Today, the Taxpayers Protection Alliance (TPA) slammed the U.S. Postal Service (USPS) for a privacy breach impacting millions of consumers.  Silicon Republic reported that, “according to KrebsOnSecurity, a broken API within USPS’s mail tracker service called Informed Delivery allowed any user to see another user’s details.”  This data breach comes less than two weeks after the USPS reported a $3.9 billion net loss for the year, an increase of $1.2 billion from the previous year.  

The publication also noted that, “Krebs claimed that identity thieves are using this information to see what packages are being sent to users’ homes on what days, in order to exploit them.” An anonymous researcher exposed the issue a year ago and contacted the Postal Service but to no avail. Only after receiving widespread media coverage and condemnation did the USPS see fit to patch up the issue. 

TPA President David Williams expressed alarm at the continued problems facing the USPS: “We’ve seen over the past few weeks the USPS’s continued inability to manage its finances, racking up $2 billion in controllable losses while refusing to implement simple efficiency guidelines that would save hundreds of millions of dollars per year. Apparently, the Postal Service’s spending priorities don’t include basic cybersecurity, as the personal information of 60 million USPS customers was put at risk for far too long.  The holiday season is the time of the year for the USPS to shine and deliver cards and packages to anxious and excited customers.  Now, instead of worrying about whether Santa Claus knows if people are naughty or nice, people using the USPS now have to worry about who is watching them illegally.”

Williams continued, noting that, “due to the failure of the Postal Service to put in place multiple access controls on their website, USPS website users would be able to wantonly change other users’ contact information and find personal information without any special hacking techniques. This is particularly dangerous for individuals seeking refuge from hostile individuals looking to cause problems for them and their loved ones. Even absent personal vendettas, the information could be used for mass spam efforts.”

Williams concluded, “Congress needs to step in and demand answers from the USPS ASAP.  And, USPS needs to take immediate action to get the agency in order.”