UPS data breach: Customer payment card details compromised
Parcel delivery firm confirms data breach following malware attack on 51 of its 4,500 US stores
UPS has suffered a data breach at 51 of its US stores that may have exposed the names, addresses and payment card details of customers who shopped there.
The parcel delivery firm, which has 4,470 franchised stores in the US, said the breach was uncovered following a comprehensive review of its franchisees' IT systems.
This was prompted by a US government tip-off about the emergence of a broad-based malware intrusion that goes undetected by current anti-virus offerings.
It appears that UPS had relied on the latest antivirus software to protect it from harm, something it manifestly failed to do.
The review revealed the malware was prevalent on systems at 51 stores in 24 states, and may have led to the data of anyone who used their credit cards at these sites between 20 January 2014 and 11 August 2014 being compromised.
The latter date is when UPS claims the malware was eliminated from its systems.
The type of customer data thought to have been compromised by the breach includes names, payment card details, as well as postal and email addresses.
UPS has published a full list of the affected stores, but stopped short of revealing how many of its customers may have suffered as a result of the breach.
It has also been quick to stress that no other UPS entities have been affected by the malware.
Tim Davis, president of The UPS Store, apologised to customers affected by the breach, before assuring them the matter is now under control.
"As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue," said Davis.
"Our customers can be assured that we have identified and fully contained the incident."
Rob Cotton, CEO at security firm NCC Group, said other retailers should treat the UPS breach as a prompt to re-evaluate their own cyber defences.
"The big players in the sector should see this as a wake-up call: you are being directly targeted, so preparation is key," said Cotton.
"We've seen the damage done to [US retailer] Target following the point-of-service attack last year. Earlier this week it again slashed its profit outlook as it struggles to recover from the incident. "
Cotton also expressed surprise at how reliant UPS appears to be on anti-virus products to safeguard its customers' data.
"It appears that UPS had relied on the latest antivirus software to protect it from harm, something it manifestly failed to do," Cotton explained.
"This reliance on antivirus is surprising for a company of its size, and as we've said before, antivirus tackles a problem that was around 20 years ago but which is becoming ever more irrelevant to today's cyber threats.
"Organisations must look at other, more effective ways of managing this risk," he concluded.
Consumer choice and the payment experience
A software provider's guide to getting, growing, and keeping customersDownload now
Prevent fraud and phishing attacks with DMARC
How to use domain-based message authentication, reporting, and conformance for email securityDownload now
Business in the new economy landscape
How we coped with 2020 and looking ahead to a brighter 2021Download now
How to increase cyber resilience within your organisation
Cyber resilience for dummiesDownload now