US Postal Service has privacy problems with change of address information

October 9, 2014 |

The Washington Post in How the Postal Service put your change-of-address information at risk reports on an audit of the US Postal Service which uncovered a significant weakness in the data security privacy breach.   The weakness was poor controls over those outside groups who were given access to those records including a failure to follow its own procedures.  One of those procedures was to require entities to submit security plands when they apply for licences.  This episode highlights 2 issues in privacy protection; that weaknesses in data security can arise from third parties who have access to an entity’s site but have poor data security and the failure to abide by established protocols and procedures.

The article provides:

With breaches of personal data being a top concern for federal agencies, the U.S. Postal Service faces a huge security risk of its own: It has jeopardized 13 million addresses of customers who are forwarding mail to their new homes.

That’s the alarming conclusion of an audit by the Postal Service inspector general’s office, which found that hundreds of companies with access to change-of-address records have little oversight by postal officials and porous security controls.

“There is a risk that the [data] could be accessed by unauthorized users,” auditors for Inspector General David Williams wrote in a report released last week. “Security controls . . . are not sufficient to protect the confidentiality and integrity of customer information.”

The inspector general estimated that 13,554,542 customer records with a potential value of $228 million are at risk.

More than 40 million Americans change addresses every year by submitting paperwork to the Postal Service electronically or filling out paper forms at their local post office to make sure their mail gets delivered to their new home.

Hundreds of companies then acquire the information through a database known as the National Change of Address Linkage (NCOALink), which contains more than 160 million change-of-address records. Those entities, which are licensed by the Postal Service, then sell the information to direct mailers and other advertisers.

Auditors found that the 515 companies with licenses to sell the information have little oversight from postal officials. The Postal Service is supposed to do security checks on them, but the agency has “never performed site security reviews of licensees’ environments,” auditors wrote, and does not ask the companies to submit security plans when they apply for licenses.

The companies stored some postal customers’ home addresses on databases shared by other companies. They also did not disclose the other businesses with which they share customer information, auditors wrote.

Access to the information is supposed to be available only to U.S. businesses. But auditors found 2,674 international mailers that have bought information from the licensees.

And the Postal Service has its own porous security where new addresses are concerned, auditors discovered; the addresses are stored on outdated computers that “a person could crack” because they lack security.

Auditors also found problems with change-of-address requests made on paper forms.

At a storage site in Jackson, Tenn., change-of-address forms were piled in boxes and left in open areas where any employee could access them, a violation of postal policy. The facility’s supervisor was not aware that the files needed to be stored securely to protect customers’ information, the inspector general found.

Postal officials agreed with some of the watchdog’s findings but disputed others.

They agreed to start conducting random security reviews by April 2015 of the businesses they license to use the database of change-of-address requests. They also agreed to upgrade some software in the database that holds the addresses to make them more secure.

But they told the inspector general in a written responses to the report that other security flaws were not necessarily systemic, because auditors visited only one site. They declined to take other security precautions auditors recommended.



One Response to “US Postal Service has privacy problems with change of address information”

  1. US Postal Service has privacy problems with change of address information | Australian Law Blogs

    […] US Postal Service has privacy problems with change of address information […]

Leave a Reply