Management Alert – Protection of Personally Identifiable Information on Internal Systems
During the Peak Season Hiring audit (Project Number 20-316), we found that the U.S. Postal Service mishandled personally identifiable information (PII) for veteran employees on an internal system. The purpose of this management alert is to bring these issues to management’s attention and make recommendations for corrective action.
PII is any information about an individual maintained by an agency, including information that can be used to distinguish or trace an individual’s identity. The Postal Service is responsible for safeguarding PII for over 630,000 employees nationwide. Management is responsible for ensuring employees safeguard PII through restricting employee access and using the required storing and handling methods to protect sensitive information.
On October 21, 2020, two computer-generated files containing PII were uploaded to the Postal Service’s internal website. Specifically, the files included the names, home addresses, employee identification numbers, and work locations of 89,070 Postal Service veterans. The first file contained information for headquarters veterans and the second file included information for area and district veterans.
The Postal Service created the files to aid in identifying employees for recognition on Veterans Day 2020. Sharing the files on the internal website allowed district Human Resources (HR) representatives, veteran coordinators, and Postal Service Learning Development and Diversity managers to access the data for veteran employees. Both files were accessible to over 380,000 employees and contractors with access to the internal website.
On October 22, 2020, we discovered and accessed the unsecured files on the internal website and notified the Postal Service on October 23, 2020. Subsequently, the Postal Service Chief Privacy and Records Officer (Privacy Officer) coordinated with the Corporate Information Security Office (CISO) to identify and remove the PII files from the internal website on October 23, 2020.
Opportunities exist for the Postal Service to improve the handling and safeguarding of PII when posting on an internal website. Management approved and an employee posted the unsecured files containing the PII of 89,070 veterans to the organization’s internal website without reviewing the files to ensure they were encrypted or password protected to prevent unauthorized access.
After our notification and the Postal Service’s removal of the files from the internal website, the CISO determined that the data were only posted internally; however, they were unable to verify whether the files were shared outside of the Postal Service. Because the data did not contain social security information, management determined that the severity of this PII incident was a low risk and [redacted]. However, the Postal Service took 71 days to notify affected veterans of the exposure of their PII. Postal Service policy does not clearly define the [redacted] when the release of PII has occurred.
We also determined the employee who posted the veterans’ PII to the internal website completed the required cybersecurity training courses. However, the employee did not apply the training by reviewing the two files to ensure they did not contain PII prior to posting on the internal website.
The Postal Service maintains extensive data on employees for business purposes. The organization has a responsibility to protect sensitive information from loss, misuse, and unauthorized access within and outside of its organization. Incidents involving PII can cause financial harm to an individual and may lead to identity theft or other fraudulent use of the information. Additionally, when an organization does not protect its employees from security incidents, it can experience a loss of public trust, legal liability, or remediation costs. We identified $1,431,938 in associated costs that can be attributed to the vulnerability of inappropriate or unauthorized disclosure of sensitive data.