- USPS passed through a very unveiling audit this summer, which identified multiple critical flaws.
- The agency was using software that was vulnerable to hacker attacks for years, and it’s a miracle that nothing happened.
- A USPS spokesperson has told the press that all problems have been addressed now, and they’re ready for ballots.
Using outdated and no longer supported software tools is an invitation to hackers, even the less skillful ones. Simply put, software that has stopped receiving security updates years ago is full of holes that have known exploitation methods, so breaking into these systems is a matter of following publicly available instructions.
One would expect that the public sector would be the last place where you could find cases of outdated software deployment. Still, as we have repeatedly discovered through various recent reports, it is actually among the first.
The most recent example concerns the US Postal Service (USPS), which was knowingly using outdated IT systems for years, risking a catastrophic cyber-attack that would have cost the agency up to $1 billion. The revelation comes from an internal memo that circulated in the agency in July 2020, describing various critical vulnerabilities that were pretty easy to exploit.
The potential impact would include service disruption as well as the disclosure of sensitive information. Thankfully, and almost miraculously, these flaws weren’t targeted by malicious actors. However, with the 2020 US Presidential Elections approaching and the USPS’s elevated role in them, there are no margins for abatement in security.
A spokesperson of the USPS told Business Insider that all of the vulnerabilities that were identified in the July audit have been pinpointed, scoped, and addressed by their IT teams. Thus, the agency is no longer using vulnerable software. The representative failed to provide more information about which software tools were vulnerable, which is justified from a security perspective.
Motherboard has attempted to learn more about the flaws found and filed a relevant FOIA (Freedom of Information Act) request. Although this was reasonable since USPS is a Federal agency, the request was denied on grounds of valid exemption relevant to software developed by the agency. This response gives us an indication that the vulnerabilities concerned software tools developed by or on behalf of the Postal Service, which is maybe the reason why hackers didn’t bother to try and crack them.