USPS Confidential?
The postal service published an article on information security in its Link employee newsletter on Friday, apparently in response to the Veterans Affairs Department case we mentioned here Thursday. The Link article reminds employees that they should avoid downloading sensitive information, and if they need to download it for legitimate purposes, they shouldn’t store it carelessly, or bring it home with them.
It’s all good advice. The only problem is that the VA told its employees the same things.
Keep in mind that the VA case became public because of the amount of information that was compromised, and the fact that it involved the theft of an expensive laptop computer. The same information on every postal employee would fit comfortably on a USB drive- something easily lost or stolen. An employee whose laptop is stolen is going to have to tell his boss, and the police. An employee who misplaces a twenty-five dollar USB drive is probably going to buy a replacement and hope for the best.
Remember also that the VA employee was simply careless- suppose he had actually been unscrupulous? When you’ve got personal data on 26 million veterans (or 700 thousand postal employees), you don’t need to unload it all at once- you might just sell, or use, a little of the information at a time.
One postal employee who responded to Thursday’s article told us he had been the victim of identity thieves who ran up $17,000 in bogus charges on credit card accounts opened in his name. There’s no proof that the information came from the postal service database, but everything the crooks used, including Social Security number, date of birth, etc., is in there, and can be downloaded by anyone with the right access.
Reminders like the Link article are good first steps, but until employee’s Social Security numbers and other personal data is securely locked down, what happened at the VA could happen at the USPS- and for all we know, already has.
