United Parcel Service Confirms Security Breach

Photo
UPS said that customers who had used their debit or credit cards at certain locations between Jan. 20 and Aug. 11 may have been exposed to malware.Credit David Goldman/Associated Press

UPS Stores, a subsidiary of United Parcel Service, said on Wednesday that a security breach may have led to the theft of customer credit and debit data at 51 UPS franchises in the United States.

Chelsea Lee, a UPS spokeswoman, said the company began investigating its systems for indications of a security breach on July 31, the day The New York Times reported that the Department of Homeland Security and the Secret Service would be issuing a bulletin warning retailers that hackers had been scanning networks for remote access capabilities, then installing so-called malware that was undetectable by antivirus products.

UPS hired an information security firm and discovered that the malware was on its in-store cash register systems at 51 of its locations in 24 states, roughly 1 percent of UPS’s 4,470 franchises throughout the United States.

In a statement, the company said that customers who had used their debit or credit cards at affected locations, which are listed on the UPS website, from  Jan. 20 to Aug. 11, 2014 may have been exposed to the malware, though it said exposure began after March 26 in most cases. UPS said it had eliminated the malware as of Aug. 11.

“I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers. At The UPS Store, the trust of our customers is of utmost importance,” said Tim Davis, president of The UPS Store, in a statement. “As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue.”

The breach at the UPS stores is just the latest in a string of similar cyberattacks on the in-store payment systems at major American corporations, including Target, P.F. Chang’s, Neiman Marcus, Michaels, Sally Beauty, and, most recently, the Supervalu and Albertsons grocery stores.

In each case, criminals scanned for tools that typically allow employees and vendors to work remotely, then broke into them and used their foothold to install malware on retailers’ systems. That malware, in turn, fed customers’ payment details back to the hackers’ computer servers.

The same group of criminals in Eastern Europe is believed to be behind the earlier attacks, according to several people briefed on the results of forensics investigations who were not allowed to speak publicly because of nondisclosure agreements.

The entry point for each breach differed, according to one law enforcement official. At Target, it was thought to be a Pennsylvania company that provided heating, air-conditioning and refrigeration services to the retailer. Criminals were able to use the company’s login credentials to gain access to Target’s systems and eventually to its point-of-sale systems.

Studies have found that retailers, in particular, are unprepared for such attacks. A joint study by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that a majority of computer security experts in the United States believed that their organizations lacked the technology and tools to quickly detect database attacks. Only one-third of those experts said they did the kind of continuous database monitoring needed to identify irregular activity in their databases, and another 22 percent admitted that they did not scan at all.

UPS said it would offer one year of free identity protection and credit monitoring services to any customer who had used a credit or debit card at any of its affected store locations.