A few days ago, I received an inquiry from someone who had logged into her USPS online store account, only to see another customer’s name, address, and last four digits of their credit card number. Understandably concerned, she contacted customer service who told her that it was a “known error” and that letters would be going out. Customer service also suggested that the problem had occurred after a recent update.
In response to my inquiry to USPS, a spokesperson indicated there did seem to be a coding issue and that
On October 28, 2011 we became aware that some of our customer’s credit card information that was stored on usps.com may have been exposed. The U.S. Postal Service and the U.S. Postal Inspection Service are conducting an investigation into a systems failure on why this happened. Postal Service computer technicians are working around-the-clock to minimize any impact this incident may have caused our customers. The privacy and security of this data is of critical importance to the Postal Service. We apologize for any inconvenience this situation may have caused our customers.
About 5400 customers received the letter dated Nov. 8. Testing to fix the situation is going well.
Thanks to the reader who brought this breach to my attention. If you discover a breach that has not been reportedly publicly, e-mail breaches[at]databreaches.net with details and I’ll try to look into it, as time permits.
Updated 11-12-11: USPS just sent me an update confirming that it was a coding issue and that it’s been resolved.
Makes one wonder what testing the “update” went through, and whatever undiscovered issues there are.
How many times have we seen similar exposure breaches following an upgrade or update? We don’t have a separate category for purposes of data analyses, but I know we’ve seen it a bunch of times.
If they discovered it Oct. 28th, why did it take 11 days to notify the people???
Maybe they waited to notify until they could determine whether the problem was from a coding error vs. some other type of problem. They also needed to determine exactly which customers were affected. Eleven days from discovery to mailing letters is really not an unreasonable amount of time, although I would have wished that they had posted something on their web site alerting people.
When I worked for the USPS (39 yrs) I had an IMPAC Visa card and it was mandatory that we tell ALL vendors NOT to keep our credit card number on file. If they refused we were not allowed to use them.
Why does the USPS break its own regulation?
If USPS thinks this will help their efforts to promote online retail purchasing, they should think again. I do not trust usps.com to keep my financial information stored nor to conduct transactions on their website. That is why I use a post office facility. USPS doesn’t have the knowledge to handle the issues they already have and by closing down their retail brick and mortar access, they are only leading their retail products and growth into quicker demise.This proves it. Get a grip USPS! Customer security should come first and no customer should ever allow a code error or security issue to compromise their trust in any company when doing business online. Complain people!USPS has to stop wanting to do what it wants and remember the security and service to the people first!
Customers do not have to store their credit card numbers. Some choose to as a matter of their own convenience.
All this around the same time USPS national TV advertising was promoting security of Post Office versus internet theft? Guess postal officials were right.