UPS Data Breach Exposes Customer Credit Card Information

Geoff Blaine

What can Brown do for you? Apparently, it’s more than timely global delivery. Global postal carrier UPS is the latest company to fall victim to data breach, according to The Associated Press. All told, malware may have siphoned sensitive customer information — including names, email addresses and credit card numbers — from Jan. 20 to Aug. 11.

On Wednesday, UPS spokeswoman Chelsea Lee told The New York Times that malware was discovered on 51 of 4,470 UPS Store in-store payment terminals — roughly 1 percent throughout the US.

Lee stated the company began investigating indications of breach after The New York Times reported that both the Department of Homeland Security and the Secret Service were planning to issue security bulletins alerting retailers that hackers and other malicious actors were diligently probing companies for vulnerable remote access systems. Once discovered, these groups deployed malware to exploit the vulnerabilities and steal identities and other valuable information.

UPS Store, Inc., issued a press release that they were notified of the breach by the government bulletin. As of Aug. 11, the malware had been eradicated and payment systems are safe, said the statement.

“I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers. At The UPS Store the trust of our customers is of utmost importance,” said Tim Davis, President The UPS Store, Inc. “As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident.”

According to UPS, the spread of the malware was limited because each UPS Store franchise is individually owned and operates independent networks that aren’t connected with other franchises.

In response, UPS is providing a data security tool — located at theupsstore.com/security — for customers to see if their store was affected. In addition, the company is offering free credit monitoring and identity protection services. To learn more about these options, visit theupsstore.allclearid.com.

To avoid similar breaches, retailers, enterprises and other large organizations should deploy strong authentication solutions to properly secure both physical and logical (e.g., workstations, remote access, VPN) access points. This incident also showcases how standard antivirus tools alone aren’t affective in stopping malware and other advanced persistent threats (APT).

Geoff Blaine
Geoff Blaine
Sr. Writer & Managing Editor

An eight-year veteran of Entrust, Geoff is the Identity On blog's managing editor, and also serves as the company's senior writer and social media manager. He brings a blend of real-world journalism experience, cybersecurity perspective and mainstream tech interest.


Add to the Conversation