UPS Hacked, Customer Financial Data Could Be Compromised

United Parcel Service (UPS) has revealed that earlier this year, hackers breached computer systems at 51 of its brick-and-mortar retail outlets across 24 US states, giving them the opportunity to steal customer data, including financial information.

The company didn’t specify the number of customers who might be affected, or the type of malware used in the attack. It also said it doesn’t plan to notify affected customers directly.

“As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,” said Tim Davis, president of UPS Store.

Brown in trouble

UPS is the world’s largest package-shipping company, delivering more than 15 million mail items a day. It discovered that some of its computers were infected after a US government organisation (likely to be US-CERT) warned it about the existence of a new strain of malware not detected by conventional anti-virus solutions.

UPS promptly hired an IT security specialist to conduct a review, which found evidence of malware at 51 stores, or one percent of the company’s American franchise network.

A spokesperson for the company told Bloomberg that the breach could have potentially compromised data of around 105,000 transactions at UPS Stores, conducted between 20 January and 11 August. This information included names, physical and email addresses and credit or debit card data. UPS said it is not currently aware of any cases of this data being used for fraud.

The company added that the scope of the breach may have been limited because each franchised outlet is individually owned and runs independent, private networks.

UPS joins the growing number of major US corporations successfully breached by cyber criminals in 2014: earlier this week, Community Health Systems said it lost 4.5 million patient records to what it suspects were Chinese hackers. Later reports claimed that the attack was relying on the much-lamented Heartbleed vulnerability.

Last week, retail giant SuperValu revealed that hackers could have stolen credit and debit card account numbers from Point-of-Sale (PoS) systems in at least 209 stores. And who can forget massive breaches at Target and eBay, which compromised the security of tens of millions of users?

Just like Target and SuperValu, UPS has offered the affected customers free identity protection and credit monitoring programs for a year – something that has become a standard response to major data breaches.

“This is another high-profile attack on a company within the retail industry. The big players in the sector should see this as a wake-up call: you are being directly targeted, so preparation is key,” commented Rob Cotton, CEO at information assurance firm NCC Group.

“It appears that UPS had relied on the latest anti-virus software to protect it from harm, something it manifestly failed to do. This reliance on antivirus is surprising for a company of its size, and as we’ve said before, anti-virus tackles a problem that was around 20 years ago but which is becoming ever more irrelevant to today’s cyber threats. Organisations must look at other, more effective ways of managing this risk.”

How well do you know network security? Try our quiz and find out!