Our objective was to assess the U.S. Postal Service’s social media and digital channel security posture. We also assessed whether policies are in place to protect the integrity of the Postal Service’s official social media and digital channel presence.
The Postal Service uses social media to promote its brand, products, and services and to create a community of customers. The Corporate Communications office is responsible for the social media program where they engage with more than 790,000 Facebook and 181,000 Twitter followers. Threat actors may take advantage of this vast audience to discredit or leverage the brand for personal gain.
To accomplish our objective, we contracted with a provider to assess the security posture of high visibility or high-risk Postal Service assets/resources on various social media platforms – such as Facebook and Twitter – and digital channels – such as recruitment sites – that make up the Postal Service’s digital presence. We also reviewed Postal Service policies and spoke with personnel responsible for the official digital presence to determine compliance with policy and alignment with best practices.
We identified security threats and business risks associated with the Postal Service’s social media and digital channels. We also found that policies and procedures were not adequate to protect the integrity of the Postal Service’s official social media and digital channel presence.
We found that the Postal Service was not effectively monitoring for the unauthorized use of its organizational information in accordance with best practices. Specifically, we identified multiple fraudulent or deceptive websites and social media accounts purporting to be Postal Service sites, as well as Postal Service-branded goods and services for sale online without authorization. This occurred because management was only monitoring for unauthorized use of the domain name and because the process for monitoring for other intellectual property infringement was time-consuming and inefficient. Without effective monitoring capabilities, unauthorized use of organizational information could go undetected, which could result in customers being misled into thinking they are on a legitimate site, leading to reputational damage, loss of consumer trust, or potential fraud against the customer.
We also found the Corporate Information Security Office (CISO) did not follow best practices to restrict the use of work email addresses for creating accounts on external sites. Specifically, we identified 3,439 Postal Service email addresses on the dark web that were involved in known data breaches of non-Postal Service systems such as retail, gaming, and dating sites. Creating personal accounts with work email addresses increases the risk that threat actors could use this information to hijack accounts, steal data, and commit fraud.
In addition, we found social media accounts intended to officially represent the Postal Service were created without the approval required by policy. Specifically, we identified unapproved accounts for 15 post offices, nine departments, three sales teams, and multiple employees using their social media accounts in an official capacity without the proper approval. This occurred because management did not establish an automated process to proactively monitor for unapproved pages, nor did they have an effective account approval process. Further, we found the Postal Service did not follow best practices to document official social media account management procedures. Management stated they did not see a need for formal documentation because there are a limited number of users with social media responsibilities. Without sufficient social media account management processes, the Postal Service is unable to ensure consistent branding and messaging, creating a risk to the integrity of the Postal Service’s digital presence.
Finally, we found that management did not define or document organizational roles and responsibilities for responding to threats to the Postal Service’s digital presence in accordance with best practices. Depending on the situation, the Law Department, Inspection Service, CISO, Public Relations, Corporate Communications, or Human Resources may need to be involved in response activities. Management stated they are in regular communication with each other and see no need for a formally documented plan. Without clearly defined roles, the Postal Service may not be able to respond to threats to its brand in a timely manner, which could cause reputational damage.
We recommend management:
- Update internal information security policy to include restrictions on the use of work email addresses on external sites.
- Establish an effective social media account approval process and document social media account management procedures.
- Develop a process to inform employees of the social media account establishment policy.
- Establish an automated process to monitor social media to identify and address unapproved pages and accounts created to represent the Postal Service.
- Identify appropriate stakeholders and develop a formal plan with roles and responsibilities for identifying and responding to fraudulent activity on social media and digital channels.