You Are Here: Home » Industry News » UPS Store data breach – the post mortem can wait, it’s time to warn and advise the victims

UPS Store data breach – the post mortem can wait, it’s time to warn and advise the victims

Up to 100,000 customers of The UPS Store may have reason to worry right now, after it was disclosed this week the company announced that it had suffered a massive data breach at 51 of its sites across the United States.

The breach was orchestrated by hackers who managed to plant malware onto point of sale (PoS) systems used at the company’s stores, which went undetected by anti-virus software for months.

The UPS Store is just the latest in a long line of well-known retailers to have suffered from PoS malware in recent months. Past victims have included Target, Neiman Marcus, PF Changs, and most recently the SuperValu and Alberton’s grocery stores.

PoS malware certainly seems to be a growing problem. So much so that in the last month the US government issued an advisory about the threat posed by the Backoff PoS malware.

The UPS Store, a subsidiary of the global shipping firm UPS, says that as of August 11th, the malware has been removed from all 51 impacted locations, and is at pains to underline that it is now safe to shop securely again.

However, because some systems were infected as far back as January 20th, 2014, the hackers appear to have had almost eight months to potentially steal customers’ names, postal and email addresses, as well as payment card information.

I bet some of those 100,000 or so customers now wish that they had paid with cash.

That’s if, of course, they even know that their credit and debit card details may be at risk.

Because, as The UPS Store’s advisory explains, the company “does not have sufficient customer information to contact potentially affected customers”.

In other words, if you don’t happen to see the warning on the UPS Store website, or read one of the news articles about the breach, the first victims will probably know about if they’re at risk is their accounts suffer fraudulent activity.

A full list of affected locations, along with the timeline for when the malware entered the network and when transactions became safe again, is on the UPS Store website.

To give it some credit, I’m impressed with the detail that The UPS Store has provided on its website, and how it has used social media channels (such as its Twitter account) to reach out to concerned customers.

My feeling is that you shouldn’t judge a corporation by how it got hacked, but by how well it handles the aftermath and whether acts openly and respectfully to its customers.

Clearly there will need to be a post mortem, but right now the most important thing is to support those customers who might be victims – and provide them with advice on how to best protect themselves.

And I’m also pleased to see that Tim Davis, president of The UPS Store, hasn’t been stopped by his legal team from accepting responsibility and isn’t afraid of saying that the firm apologises. That’s refreshing when so many corporations can’t seem to manage a simple “sorry” to customers after a data breach.

“Please know we take our responsibility to protect customer information seriously and have committed extensive resources to addressing this incident. We understand this type of incident can be disruptive and apologize for any anxiety this may have caused.”

Anyone who feels they might be at risk is advised to keep a close eye on their bank account statements, and make use of free credit monitoring offered by the company.

About The Author

Security analyst

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

Number of Entries : 191

Comments (2)

  • Dissent

    I’m much less impressed than you are because (1) their web site does not reveal that Social Security numbers and Driver’s License numbers were involved for customers who had Mailbox Manager accounts, and (2) when I tweeted a comment about the SSNs, their Twitter team initially told me I was wrong (which got retweeted) until I told them to go look at page 5, paragraph 2 of the more detailed notification on the California Attorney General’s website. Then they apologized and said I was correct.

    Today, I suggested to the Twitter team that they notify corporate that they should modify their web site, but as of tonight, their web site still reads:

    What information was exposed?

    “Customer information may have been exposed as a result of this malware intrusion. The customer information that may have been exposed includes customers’ names, postal addresses, email addresses and payment card information. Not all of this information may have been exposed for The UPS Store customers who used a credit or debit card at an impacted location during this period. At this time, we are not aware of any reports of fraud associated with the potential data compromise.”

    So customers aren’t being notified, but their SSN and Driver’s License numbers were involved, and they won’t know that at all if they read the web site?

    No, I am not impressed. Not at all.


Leave a Comment

© 2012 Powered By Bitdefender

Scroll to top