The U.S. Postal Service (USPS) was discovered to have been sharing the postal addresses, computer types, tracking numbers, and browser information of its online customers with major tech and advertising companies such as Meta, LinkedIn, Bing, Google, Pinterest, and Snap.
An investigation by TechCrunch revealed that USPS had been utilising hidden data-collecting code, known as tracking pixels, across its website. Tech companies commonly use these pixels to gather user information, such as page visits, each time a webpage containing the code is loaded.
In USPS’s case, the data included postal addresses of users logged into the Informed Delivery service, which allows customers to preview incoming mail. Furthermore, the data-collecting code extracted pseudonymised computer type and browser information data.
While the full scope of the data breach remains unclear, it potentially affected millions of users. As of March 2024, Informed Delivery boasted over 62 million users. The exact number of individuals whose information was compromised and the duration of the data sharing are still unknown.
Beyond addresses, USPS was found to be sharing tracking numbers with companies. This sharing included in-transit tracking data, such as the real-world mail location within the postal system, even if users were not logged into USPS’s website.
USPS spokesperson Jim McKean acknowledged the issue, explaining that the organisation uses an analytical platform to understand product and service usage internally. He emphasised that USPS does not sell or provide personal information collected from this platform to third parties and was unaware that the configuration shared personal information without their knowledge.
Despite immediate actions to address the issue, USPS didn’t disclose specific measures.
Emil Vazquez, Meta’s spokesperson, reiterated the company’s policy against sharing sensitive information through its Business Tools.
“We’ve been clear in our policies that advertisers should not send sensitive information about people through our Business Tools. Doing so is against our policies, and we educate advertisers on properly setting up Business Tools to prevent this from occurring. Our system is designed to filter out potentially sensitive data it is able to detect,” Vazquez told TechCrunch.
Spokespeople for LinkedIn and Snap did not provide immediate comments.
In January 2024, reports emerged that thousands of companies are sending users’s data to Meta. In April, Verizon, T-Mobile, Sprint, and AT&T were fined $200 million for sharing users’s data.
Additionally, the Federal Trade Commission banned BetterHealth from sharing data with advertisers.
In the News: Revolver Rabbit registers over 500,000 domains for infostealer campaigns
