An inspector general report says that USPS “mishandled” the personally identifiable information of some 89,000 employees who have veterans status, inadvertently exposing that information to some 380,000 in-house and contractor personnel who had access to an internal agency website.
The IG says that during an audit of hiring practices, it discovered that issue with two files of names, home addresses, employee identification numbers and work locations of postal employees with veterans status. The files were generated to be made available to district HR representatives, veteran coordinators, and agency learning development and diversity managers to identify employees for recognition on Veterans Day last year.
However, the USPS did not “ensure they were encrypted or password protected to prevent unauthorized access,” the report said. Further, the agency was “unable to verify whether the files were shared outside of the Postal Service” after it was initially informed of the issue and then took 71 days to notify affected employees of the potential exposure of their information.
The Postal Service classified the incident as low-risk because the files did not contain Social Security numbers. However, the IG said that any incidents involving PII “can cause financial harm to an individual and may lead to identity theft or other fraudulent use of the information. Additionally, when an organization does not protect its employees from security incidents, it can experience a loss of public trust, legal liability, or remediation costs,” it said.