Examining Data Security at the Postal Service

On Wednesday, I chaired a hearing held by the House Oversight and Government Reform Subcommittee on the Federal Workforce, U.S. Postal Service and the Census. During this hearing my colleagues and I examined and questioned agency officials on the collection and distribution of mail cover information by the United States Postal Service (USPS), as well as concerns related to the agency’s recent data breach of personal information of their employees.

The mail covers program is a record of all of the information on the outside of classes of mail that are sealed against inspection. Mail covers can be requested by either the USPS Inspection Service or by outside law enforcement agencies. A May 2014 audit report done by the Postal Service’s Office of the Inspector General showed that 21 percent of mail cover requests were not approved by authorized individuals and that 13 percent were approved without adequate justification contained in the request. This raises serious concerns over the management and oversight of external mail cover requests.

In addition, I questioned officials on their recent public announcement of a data breach that compromised the personal data of its employees. My biggest takeaways from this hearing is that the USPS needs to be more forthcoming about the nature of this breach and be prepared to act faster should further intrusions occur. The USPS was first alerted of suspicious activity on September 11th, 2014. It was not until early October they were able to confirm the data breach and that sensitive postal employee information had been stolen. As a former computer consultant, if I saw an outside source is attempting to access data from a network, I'd simply unplug the server to keep the information safe. I also worry that the USPS waited until early November to alert the more than 800,000 postal employees that their social security, date of birth, address, and more had been compromised. During this hearing the USPS failed to give any proper reason for the delayed response and it is negligent for the USPS to know that their employee’s private information had been compromised while failing to take quicker action. The USPS gave affected employees one year of free credit monitoring. I hope that is enough.