USPS notified 5,400 online store customers after their data were inadvertently revealed to others

A few days ago, I received an inquiry from someone who had logged into her USPS online store account, only to see another customer’s name, address, and last four digits of their credit card number.  Understandably concerned, she contacted customer service who told her that it was a “known error” and that letters would be going out. Customer service also suggested that the problem had occurred after a recent update.

In response to my inquiry to USPS, a spokesperson indicated there did seem to be a coding issue and that

On October 28, 2011 we became aware that some of our customer’s credit card information that was stored on may have been exposed. The U.S. Postal Service and the U.S. Postal Inspection Service are conducting an investigation into a systems failure on why this happened. Postal Service computer technicians are working around-the-clock to minimize any impact this incident may have caused our customers. The privacy and security of this data is of critical importance to the Postal Service. We apologize for any inconvenience this situation may have caused our customers.

About 5400 customers received the letter dated Nov. 8. Testing to fix the situation is going well.

Thanks to the reader who brought this breach to my attention.   If you discover a breach that has not been reportedly publicly, e-mail breaches[at] with details and I’ll try to look into it, as time permits.

Updated 11-12-11:  USPS just sent me an update confirming that it was a coding issue and that it’s been resolved.

About the author: Dissent

8 comments to “USPS notified 5,400 online store customers after their data were inadvertently revealed to others”

You can leave a reply or Trackback this post.
  1. Chris - November 12, 2011

    Makes one wonder what testing the “update” went through, and whatever undiscovered issues there are.

    • admin - November 12, 2011

      How many times have we seen similar exposure breaches following an upgrade or update? We don’t have a separate category for purposes of data analyses, but I know we’ve seen it a bunch of times.

  2. Susan - November 13, 2011

    If they discovered it Oct. 28th, why did it take 11 days to notify the people???

    • admin - November 13, 2011

      Maybe they waited to notify until they could determine whether the problem was from a coding error vs. some other type of problem. They also needed to determine exactly which customers were affected. Eleven days from discovery to mailing letters is really not an unreasonable amount of time, although I would have wished that they had posted something on their web site alerting people.

  3. Steve - November 13, 2011

    When I worked for the USPS (39 yrs) I had an IMPAC Visa card and it was mandatory that we tell ALL vendors NOT to keep our credit card number on file. If they refused we were not allowed to use them.

    Why does the USPS break its own regulation?

  4. cdinwv - November 13, 2011

    If USPS thinks this will help their efforts to promote online retail purchasing, they should think again. I do not trust to keep my financial information stored nor to conduct transactions on their website. That is why I use a post office facility. USPS doesn’t have the knowledge to handle the issues they already have and by closing down their retail brick and mortar access, they are only leading their retail products and growth into quicker demise.This proves it. Get a grip USPS! Customer security should come first and no customer should ever allow a code error or security issue to compromise their trust in any company when doing business online. Complain people!USPS has to stop wanting to do what it wants and remember the security and service to the people first!

    • admin - November 14, 2011

      Customers do not have to store their credit card numbers. Some choose to as a matter of their own convenience.

  5. PaleWriter - November 14, 2011

    All this around the same time USPS national TV advertising was promoting security of Post Office versus internet theft? Guess postal officials were right.

Comments are closed.