3 min read

UPS Store data breach - the post mortem can wait, it's time to warn and advise the victims


August 22, 2014

Promo Protect all your devices, without slowing them down.
Free 30-day trial
UPS Store data breach - the post mortem can wait, it's time to warn and advise the victims

Up to 100,000 customers of The UPS Store may have reason to worry right now, after it was disclosed this week the company announced that it had suffered a massive data breach at 51 of its sites across the United States.

The breach was orchestrated by hackers who managed to plant malware onto point of sale (PoS) systems used at the company’s stores, which went undetected by anti-virus software for months.

The UPS Store is just the latest in a long line of well-known retailers to have suffered from PoS malware in recent months. Past victims have included Target, Neiman Marcus, PF Changs, and most recently the SuperValu and Alberton’s grocery stores.

PoS malware certainly seems to be a growing problem. So much so that in the last month the US government issued an advisory about the threat posed by the Backoff PoS malware.

The UPS Store, a subsidiary of the global shipping firm UPS, says that as of August 11th, the malware has been removed from all 51 impacted locations, and is at pains to underline that it is now safe to shop securely again.

However, because some systems were infected as far back as January 20th, 2014, the hackers appear to have had almost eight months to potentially steal customers’ names, postal and email addresses, as well as payment card information.

I bet some of those 100,000 or so customers now wish that they had paid with cash.

That’s if, of course, they even know that their credit and debit card details may be at risk.

Because, as The UPS Store’s advisory explains, the company “does not have sufficient customer information to contact potentially affected customers”.

In other words, if you don’t happen to see the warning on the UPS Store website, or read one of the news articles about the breach, the first victims will probably know about if they’re at risk is their accounts suffer fraudulent activity.

A full list of affected locations, along with the timeline for when the malware entered the network and when transactions became safe again, is on the UPS Store website.

To give it some credit, I’m impressed with the detail that The UPS Store has provided on its website, and how it has used social media channels (such as its Twitter account) to reach out to concerned customers.

My feeling is that you shouldn’t judge a corporation by how it got hacked, but by how well it handles the aftermath and whether acts openly and respectfully to its customers.

Clearly there will need to be a post mortem, but right now the most important thing is to support those customers who might be victims – and provide them with advice on how to best protect themselves.

And I’m also pleased to see that Tim Davis, president of The UPS Store, hasn’t been stopped by his legal team from accepting responsibility and isn’t afraid of saying that the firm apologises. That’s refreshing when so many corporations can’t seem to manage a simple “sorry” to customers after a data breach.

“Please know we take our responsibility to protect customer information seriously and have committed extensive resources to addressing this incident. We understand this type of incident can be disruptive and apologize for any anxiety this may have caused.”

Anyone who feels they might be at risk is advised to keep a close eye on their bank account statements, and make use of free credit monitoring offered by the company.




Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s.

View all posts

You might also like