The online world has sometimes been referred to as the Digital Wild West, a vast electronic prairie with few laws, where both good and bad actors carry on pretty much as they want. Like the Wild West, the new high-tech version can be a land of great opportunity — or great danger. Anyone or anything that has an online presence can be made a target, and that includes the U.S. Postal Service.
Most people know the Postal Service has a website, www.usps.com, but it also has accounts on Twitter, Facebook, Pinterest, and YouTube. As anyone who’s ever been hacked can attest, keeping online domains secure can make the difference between a nice, normal day and a living nightmare.
We recently looked at how well the Postal Service keeps its online presence secure, and we found a number of threats and risks that could undermine the USPS brand and messaging. For instance, we identified fraudulent or deceptive websites and social media accounts purporting to be the Postal Service, as well as Postal Service-branded goods and services for sale online without authorization. We also found a Twitter account impersonating a high-ranking USPS official.
In some cases, risks came from inside the Postal Service. For example, we found unapproved social media accounts for 15 post offices, nine departments, three sales teams, and multiple employees using their social media accounts in an official capacity without the proper approval. We also found more than 3,400 USPS email addresses associated with 61 known data breaches of non-Postal Service sites. Employees had created accounts on those systems — many of them gaming, retail, and dating sites — using their work email addresses.
As we note in a recent audit report, the Postal Service is now taking actions to strengthen the security of its online presence. Any suspected security violations regarding the Postal Service’s social media can be reported to the OIG Hotline.