UPS data breach: Customer payment card details compromised

Series of locks on binary code with one unlocked

UPS has suffered a data breach at 51 of its US stores that may have exposed the names, addresses and payment card details of customers who shopped there.

The parcel delivery firm, which has 4,470 franchised stores in the US, said the breach was uncovered following a comprehensive review of its franchisees' IT systems.

This was prompted by a US government tip-off about the emergence of a broad-based malware intrusion that goes undetected by current anti-virus offerings.

It appears that UPS had relied on the latest antivirus software to protect it from harm, something it manifestly failed to do.

The review revealed the malware was prevalent on systems at 51 stores in 24 states, and may have led to the data of anyone who used their credit cards at these sites between 20 January 2014 and 11 August 2014 being compromised.

The latter date is when UPS claims the malware was eliminated from its systems.

The type of customer data thought to have been compromised by the breach includes names, payment card details, as well as postal and email addresses.

UPS has published a full list of the affected stores, but stopped short of revealing how many of its customers may have suffered as a result of the breach.

It has also been quick to stress that no other UPS entities have been affected by the malware.

Tim Davis, president of The UPS Store, apologised to customers affected by the breach, before assuring them the matter is now under control.

"As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue," said Davis.

"Our customers can be assured that we have identified and fully contained the incident."

Rob Cotton, CEO at security firm NCC Group, said other retailers should treat the UPS breach as a prompt to re-evaluate their own cyber defences.

"The big players in the sector should see this as a wake-up call: you are being directly targeted, so preparation is key," said Cotton.

"We've seen the damage done to [US retailer] Target following the point-of-service attack last year. Earlier this week it again slashed its profit outlook as it struggles to recover from the incident. "

Cotton also expressed surprise at how reliant UPS appears to be on anti-virus products to safeguard its customers' data.

"It appears that UPS had relied on the latest antivirus software to protect it from harm, something it manifestly failed to do," Cotton explained.

"This reliance on antivirus is surprising for a company of its size, and as we've said before, antivirus tackles a problem that was around 20 years ago but which is becoming ever more irrelevant to today's cyber threats.

"Organisations must look at other, more effective ways of managing this risk," he concluded.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.