How secure is the personal information given to post offices by those seeking U.S. passports? Not very, according to an investigation by the U.S. Postal Service conducted after a snafu caused a San Diego woman and her daughter to raise questions about possible identity theft.
“At the three Postal Service passport acceptance facilities we visited, acceptance agents did not always secure completed passport applications when they were away from the retail window,” says a May 15 report of the investigation, conducted at the behest of San Diego congressman Duncan Hunter by the Postal Service's Office of Inspector General.
"We observed supporting documentation passport customers left behind that was not stored in locked cabinets or drawers.
"This documentation contained [personally identifiable information] such as valid passports, birth certificates, and driver’s licenses.
"We found transmittal forms with customer names, birth dates, and telephone numbers in envelopes on desktops, in storage rooms, or in cabinets and drawers on the workroom floor, where they were accessible to unauthorized personnel."
The report includes photographs of stacks of personal identity documents strewn about the post offices visited by auditors.
There were other problems as well.
"We observed an acceptance agent processing passport applications in the middle window of the main retail area, which was highly visible and accessible to customers waiting in line.
"During interactions with passport customers, the acceptance agent asked them to verbally confirm portions of the passport application, which revealed [personal information] in the presence of other customers."
Investigators point to lax training of postal clerks assigned to handle passport matters.
"65 percent of acceptance agents at the three passport acceptance facilities we visited did not have documentation to show they completed the required passport acceptance training.
"Of the 17 acceptance agents’ training records we requested for review, management was unable to provide training records showing completion of either the initial passport application acceptance training or the annual passport application acceptance refresher course for 11 agents."
The identity information of its customers is not the only thing being jeopardized, the report adds.
"This could have a negative impact on the Postal Service’s brand and result in revenue loss if customers elect not to use the Postal Service for passport services.
"We identified about $64 million in annual revenue at risk associated with passport acceptance facilities potentially being suspended or closed for noncompliance with [U.S. State Department] procedures."
The road to the investigation began in November 2012, according to the report, when two women submitted passport applications at a San Diego post office.
"The mother received her passport in about 10 days; however, unit personnel found the daughter’s application unsecured at the Post Office 23 days after it was accepted and personnel at a Tucson, AZ Post Office subsequently misfiled the application for 10 days before redelivering it to the regional passport office.
"The Postal Service reimbursed the family for costs associated with the delay in service," the report says, adding that investigators "found no evidence that the Postal Service compromised the [personally identifiable information] in question."
In a May 5 response, Postal Service officials argued that some of the findings made by investigators were "unsubstantiated," and asserted "employees who don't take the annual training are decertified and therefore not allowed to accept passports."
As for other allegations in the report, the response says, "This audit is limited to a sample of three Post Offices with passport acceptance services and may not be representative of all facilities.
"The [Office of Inspector General] should refrain from including subjective findings that could mislead the public into thinking Personally Identifiable Information has been compromised."