UPS data breach
UPS Stores, a subsidiary of United Parcel Service, said that a security breach may have led to the theft of customer credit and debit data at 51 UPS franchises in the United States recently. Chelsea Lee, a UPS spokeswoman, said the company began investigating its systems for indications of a security breach on July 31, the day The New York Times reported that the Department of Homeland Security and the Secret Service would be issuing a bulletin warning retailers that hackers had been scanning networks for remote access capabilities, then installing the so-called malware that was undetectable by antivirus products.
UPS hired an information security firm and discovered that the malware was on its in-store cash register systems at 51 of its locations in 24 states, roughly 1 per cent of UPS’s 4,470 franchises throughout the United States.
In a statement, the company said that customers who had used their debit or credit cards at affected locations, which are listed on the UPS website, from January 20 to August 11, 2014 may have been exposed to the malware, though it said exposure began after March 26 in most cases. UPS said it had eliminated the malware as of August 11.
“I understand this type of incident can be disruptive and cause frustration. I apologise for any anxiety this may have caused our customers. At the UPS Store, the trust of our customers is of utmost importance,” said Tim Davis, President of the UPS Store, in a statement. “As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue.”
The breach at the UPS Store is just the latest in a string of similar cyber attacks on the in-store payment systems at major American corporations, including Target, P.F. Chang’s, Neiman Marcus, Michaels, Sally Beauty, and, most recently, the Supervalu and Albertsons grocery stores.
In each case, criminals scanned for tools that typically allow employees and vendors to work remotely, then broke into them and used their foothold to install malware on retailers’ systems. That malware, in turn, fed customers’ payment details back to the hackers’ computer servers.