Expands the main menu

Breadcrumb

After-Action Review of Unauthorized Access to USPS Employee Self-Service Portal

Audit Reports

  • Image
    After-Action Review of Unauthorized Access to USPS Employee Self-Service Portal
Jun
06
2024
Report Number:
23-134-R24
Report Type:
Audit Reports
Category: Security, Technology

After-Action Review of Unauthorized Access to USPS Employee Self-Service Portal

Background

The U.S. Postal Service is the second largest employer in the United States with over 640,000 employees and $2.15 billion in bi-weekly salaries. To provide employees with convenient access to their payroll, benefits, and personnel data, the Postal Service uses the LiteBlue portal. This web-based portal contains several human resources (HR) applications, including PostalEASE, which allows employees to establish direct deposits, create or modify payroll allotments, and update retirement and health benefits information. In October 2022, some employees entered their login credentials into several fake LiteBlue websites, allowing bad actors to obtain their login credentials and fraudulently reroute employees’ payroll direct deposits and create payroll allotments to bank accounts they controlled.

What We Did

Our objective was to determine if the Chief Information Security Office (CISO) appropriately responded to and mitigated fraudulent access to the PostalEASE application. We also assessed the extent to which CISO could have prevented or mitigated this fraudulent access. For this audit, we reviewed CISO’s response to the attack, evaluated cyber incident and event policies and procedures, and analyzed employee and payroll data.

What We Found

CISO did not take all critical steps necessary to prevent fraudulent access to the PostalEASE application, such as implementing multifactor authentication (MFA) or providing security awareness training to all employees. These issues occurred because CISO prioritized securing the broader Postal Service network and did not make security awareness training mandatory. Additionally, CISO did not escalate the 2022 phishing attack from an “event” to an “incident,” despite unauthorized system access, unlawful activity, and indication the attackers used employees’ credentials to access multiple HR applications.

Recommendations and Managements Comments

We made six recommendations to address issues related to fraudulent account access, incident escalation, residual risk to MFA, and more. Postal Service management agreed with four recommendations and disagreed with two. Management’s comments and our evaluation are at the end of each finding and recommendation. The U.S. Postal Service Office of Inspector (OIG) considers management’s comments responsive to recommendations 1,3,4, and 6 and corrective actions should resolve the issues identified in the report.

Report Recommendations

# Recommendation Status Value Initial Management Response USPS Proposed Resolution OIG Response Final Resolution
1

Continue to complete the implementation of multi-factor authentication for applications that hold sensitive or business critical information.

Closed $2,470,000 Agree
2

Provide mandatory annual security awareness training to craft employees and maintain documentation that these employees completed the training.

Closed $0 Disagree
Agree
3

Update incident response escalation criteria to align with the Postal Service's definition of an incident.

Closed $0 Agree
4

Update the definition of lateral movement to align with industry standards.

Closed $0 Agree
5

Update the event management plan to align with the incident response plan and develop a process to review annually.

Closed $0 Disagree
Agree
6

Some or all of the recommendation is not publicly available due to concerns with information protected under the Freedom of Information Act.

Closed $0 Agree