After-Action Review of Unauthorized Access to USPS Employee Self-Service Portal
Background
The U.S. Postal Service is the second largest employer in the United States with over 640,000 employees and $2.15 billion in bi-weekly salaries. To provide employees with convenient access to their payroll, benefits, and personnel data, the Postal Service uses the LiteBlue portal. This web-based portal contains several human resources (HR) applications, including PostalEASE, which allows employees to establish direct deposits, create or modify payroll allotments, and update retirement and health benefits information. In October 2022, some employees entered their login credentials into several fake LiteBlue websites, allowing bad actors to obtain their login credentials and fraudulently reroute employees’ payroll direct deposits and create payroll allotments to bank accounts they controlled.
What We Did
Our objective was to determine if the Chief Information Security Office (CISO) appropriately responded to and mitigated fraudulent access to the PostalEASE application. We also assessed the extent to which CISO could have prevented or mitigated this fraudulent access. For this audit, we reviewed CISO’s response to the attack, evaluated cyber incident and event policies and procedures, and analyzed employee and payroll data.
What We Found
CISO did not take all critical steps necessary to prevent fraudulent access to the PostalEASE application, such as implementing multifactor authentication (MFA) or providing security awareness training to all employees. These issues occurred because CISO prioritized securing the broader Postal Service network and did not make security awareness training mandatory. Additionally, CISO did not escalate the 2022 phishing attack from an “event” to an “incident,” despite unauthorized system access, unlawful activity, and indication the attackers used employees’ credentials to access multiple HR applications.
Recommendations and Managements Comments
We made six recommendations to address issues related to fraudulent account access, incident escalation, residual risk to MFA, and more. Postal Service management agreed with four recommendations and disagreed with two. Management’s comments and our evaluation are at the end of each finding and recommendation. The U.S. Postal Service Office of Inspector (OIG) considers management’s comments responsive to recommendations 1,3,4, and 6 and corrective actions should resolve the issues identified in the report.