It’s yet another data leak. This time, it’s the United States Postal Service. The leak reportedly exposed 60 million users.
It’s the latest in a string of security incidences. Previously, Amazon suffered from a data leak, though details remain sparse on the nature of the leak. Next up is Brazil’s Federation of Industries of the State of São Paulo (FIESP) which suffered a leak exposing tens of millions of accounts. After that, the Lands Authority of Malta suffered from a 10GB data leak.
Now, the latest leak comes from the United States Postal Service (USPS) where a reported 60 million have been exposed thanks to a data leak.
Of course, the blockbuster isn’t the only eye-popping aspect to the story. As it turns out, the leak was discovered by a security researcher over a year ago. The message warning USPS about the leak went unanswered and the security problem persisted.
As a result, the researcher went ahead and contacted Krebs On Security. Krebs on Security independently verified the security issue and also contacted the USPS. It was only then that the USPS responded and addressed the issue. From Krebs on Security:
The problem stemmed from an authentication weakness in a USPS Web component known as an “application program interface,” or API — basically, a set of tools defining how various parts of an online application such as databases and Web pages should interact with one another.
The API in question was tied to a Postal Service initiative called “Informed Visibility,” which according to the USPS is designed to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.
In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.
Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms. No special hacking tools were needed to pull this data, other than knowledge of how to view and modify data elements processed by a regular Web browser like Chrome or Firefox.
The article goes on to highlight comments from others who suggested such a security issue should have been addressed long ago.
Still, it raises the question of how long this information was exposed. Yes, we know that the researcher knew about this for over a year, but how long did it go on before the researcher discovered this?
What’s more, why was no action taken when the USPS was effectively warned about the vulnerability? Even if one were to believe that this is not a credibly source, why wasn’t anything done to verify whether or not the issue was really present or not? Why did it take notifying a media outlet before action was even taken?
To be clear, USPS is far from the only organization to receive a warning that their site is compromised, yet take no action. Earlier this year, a similar incident happened with Panerabread where warnings went ignored. It took media involvement before changes took place.
Yes, it’s bad that there was such a security vulnerability. Yes, it is also bad when such a huge number of users have been exposed. Still, an argument could be made that explicitly ignoring warnings about potential vulnerabilities is worse. At that point, an even stronger case can be made that negligence is an aspect of the data leak. At the very least, it’s hard to win sympathy when an organization knowingly ignores a site vulnerability – especially when they have the skill and resources to fix it.
At any rate, this is a particularly nasty leak on a number of levels. The way data is treated this days by a number of organizations out there, this will likely not be the last big one either.
Drew Wilson on Twitter: @icecube85 and Google+.
