UPS data breach: Customer payment card details compromised

Parcel delivery firm confirms data breach following malware attack on 51 of its 4,500 US stores

Series of locks on binary code with one unlocked

UPS has suffered a data breach at 51 of its US stores that may have exposed the names, addresses and payment card details of customers who shopped there.

The parcel delivery firm, which has 4,470 franchised stores in the US, said the breach was uncovered following a comprehensive review of its franchisees' IT systems.

This was prompted by a US government tip-off about the emergence of a broad-based malware intrusion that goes undetected by current anti-virus offerings.

It appears that UPS had relied on the latest antivirus software to protect it from harm, something it manifestly failed to do.

The review revealed the malware was prevalent on systems at 51 stores in 24 states, and may have led to the data of anyone who used their credit cards at these sites between 20 January 2014 and 11 August 2014 being compromised.

The latter date is when UPS claims the malware was eliminated from its systems.

The type of customer data thought to have been compromised by the breach includes names, payment card details, as well as postal and email addresses.

UPS has published a full list of the affected stores, but stopped short of revealing how many of its customers may have suffered as a result of the breach.

It has also been quick to stress that no other UPS entities have been affected by the malware.

Tim Davis, president of The UPS Store, apologised to customers affected by the breach, before assuring them the matter is now under control.

"As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue," said Davis.

"Our customers can be assured that we have identified and fully contained the incident."  

Rob Cotton, CEO at security firm NCC Group, said other retailers should treat the UPS breach as a prompt to re-evaluate their own cyber defences.

"The big players in the sector should see this as a wake-up call: you are being directly targeted, so preparation is key," said Cotton.

"We've seen the damage done to [US retailer] Target following the point-of-service attack last year. Earlier this week it again slashed its profit outlook as it struggles to recover from the incident. "

Cotton also expressed surprise at how reliant UPS appears to be on anti-virus products to safeguard its customers' data.

"It appears that UPS had relied on the latest antivirus software to protect it from harm, something it manifestly failed to do," Cotton explained.

"This reliance on antivirus is surprising for a company of its size, and as we've said before, antivirus tackles a problem that was around 20 years ago but which is becoming ever more irrelevant to today's cyber threats.

"Organisations must look at other, more effective ways of managing this risk," he concluded.

Featured Resources

Consumer choice and the payment experience

A software provider's guide to getting, growing, and keeping customers

Download now

Prevent fraud and phishing attacks with DMARC

How to use domain-based message authentication, reporting, and conformance for email security

Download now

Business in the new economy landscape

How we coped with 2020 and looking ahead to a brighter 2021

Download now

How to increase cyber resilience within your organisation

Cyber resilience for dummies

Download now

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
EU plans to launch bloc-wide cyber task force
cyber attacks

EU plans to launch bloc-wide cyber task force

22 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021