Tuesday, June 5, 2018

Holding Mail Carriers Accountable to Reduce Identity Theft

Mailboxes lined up on street corner
Private mail is a treasure trove of information for identity thieves. There are medical bills, credit card statements, checks, ID documents and more.

In Yonkers, NY, 85 people have been victims of mail theft so far, resulting in $660,000 in losses. Police arrested three men who stole 10 public mail bins — but the thefts continued. The officials involved in the investigation reported that it’s possible the thieves obtained a master key through ties to former employees of the postal system.

Unfortunately, it’s not uncommon for identity thieves to exist within the postal service itself. Employees have access not only to high volumes of mail but also master keys to public mail bins and cluster box units (CBUs). The Postal Inspection Service reports that in 2017, there were 1,145 cases of mail theft. From October 2016 to September 2017, the Office of Inspector General investigated 1,364 internal mail thefts — that’s 119 percent of the thefts from the Postal Inspection Service’s reporting period!

Fortunately, there’s a way you can address and prevent these thefts.

How to Reduce Insider Threats Through Key Control


Ensuring the safety of delivery equipment such as post office boxes, collection boxes and CBUs requires that you hold employees accountable for how they use keys. An effective key control policy requires that employees:

  • Only have access to keys required for their jobs
  • Use keys for the intended purposes
  • Report lost or stolen keys as soon as possible
  • Return keys at the end of their shifts

To reduce the risk of insider threats, the manual steps involved in meeting these goals should be automated wherever possible. Here are a few examples of how electronic key control helps improve employee accountability:

  • User Profiles — Rather than manually issuing keys, an electronic key control system controls access to keys based on specific user profiles. The system will also record when a key is removed, who removed it and when it’s due for return. To capture this information, some systems might require you to scan a key tag to update the log, while others will automatically record the transaction when the key is removed from the system. Again, the fewer manual steps required, the more secure the process is.
  • Real-Time Alerts — If the key is not returned when it’s due, some systems will send designated personnel a text or email alert.
  • Verifiable Audit Trail — Ensuring you have a verifiable audit trail of key usage can help with investigating security breaches. Even if someone accesses a key without going through the appropriate channels, the audit trail will help you identify who has used each key in the past and demonstrates that you took reasonable efforts to control access to your assets.

By implementing these measures, you can help ensure that employees use keys for their intended purpose. You owe it to citizens to minimize the risk of their personal information being stolen.