US

Postal Service Loses Security Data After Backing It Up … On The Same Hardware

A government audit of the U.S. Postal Service found that it lost important data after a hardware failure erased both the data and its backup, which were both stored on the same piece of hardware.

The Computer Incident Response Team database, “used to record and monitor computer incidents,” was lost after an unspecified hardware failure in April of this year. The report found that “the Postal Service did not ensure all database backups were being stored on separate hardware. Specifically, the CIRT database was lost due to a hardware failure and the data was not recovered due to the absence of a backup on a separate piece of hardware.”

The database lost was considered essential, meaning it was “necessary for daily operations.” CIRT monitors “events that threaten the integrity, availability, or confidentiality of information resources, such as suspicion or occurrence of any fraudulent activity; unauthorized disclosure, modification, misuse, or inappropriate disposal of Postal Service information.”

Amazingly, current Postal Security standards do not “prohibit the practice of using the same hardware to maintain and back up noncritical information resources” — a policy the report recommended be “updated.” The report also suggested that “there may be other unidentified databases that are not backed up on separate hardware that could result in a loss of data and the inability to comply with record maintenance requirements.” (RELATED: How To Destroy A Hard Drive, IRS Edition)

Earlier this year the USPS won an award for “innovative use of online security,” which was accepted by CIRT’s Information Systems Security Manager Andrew Kotynski. USPS Corporate Security Information Office Chuck McGann called winning the award “significant public recognition for this team’s commitment and the leadership that Andy provides in protecting USPS and its customers against threats.”

Luckily not all was irretrievably destroyed, since “the Postal Service maintained paper copies of incident reports that contained portions of the data lost.” (RELATED: IRS Reports New Round Of Computer Crashes)

According to the report, USPS management agreed with its findings and recommendations, agreeing to change backup storage requirements: “Specifically, the policy will require that backups must not be stored on the same hardware device as the original information.”

Follow Tristyn on Twitter