Just months after the USPS suffered a massive employee data breach, and the loss of a security database, the Office of Inspector General has found that the service has not properly secured its Parcel Tracking and Reporting System. This failure, according to the IG report, could allow “a malicious user to gain access to the PTR database, which could result in disclosure or modification of sensitive customer data, loss of PTR system availability, and financial liabilities. In addition, these weaknesses could allow unauthorized access to personally identifiable information, such as home addresses, phone numbers, and email addresses contained within PTR.”
From the report:
The Postal Service needs to improve its process for managing and securing the PTR system. Management did not safeguard eight servers that support the PTR system as required in the Postal Service security standards. Specifically, management did not apply critical patch updates to the operating system servers and databases. In addition, management did not properly configure the operating system, databases, and the web server to comply with security standards. Further, we determined the PTR web server contained unsupported software. Management also has not completed the disaster recovery plan for the PTR system. This occurred because management focused on other priorities such as system releases, system maintenance, and Sarbanes-Oxley Act compliance. In addition, due to a vendor software issue, management did not ensure that security configurations were reviewed on the web application server.
The USPS did not dispute the OIG findings.