The UPS Store breach – what went wrong and what UPS got right

UPS apologizes for data breach

UPS apologizes for data breachData breaches at 51 UPS Stores in two dozen US states have put as many as 100,000 customers at risk of identity theft and credit card fraud, after malware was found on the stores’ networks, the company said.

The UPS Store – a subsidiary of global shipping service UPS – said it began investigating after it received a bulletin from the US Department of Homeland Security warning of a “broad-based malware intrusion” targeting retailers.

It appears that the malware was on the stores’ point-of-sale (PoS) registers, similar although not necessarily related to the attack on Target in late 2013.

UPS said that the network intrusions occurred between January and July of this year, and malware on the networks of the 51 affected stores (around 1% of the company’s 4,470 franchise locations) was eliminated as of 11 August 2014.

Lost customer data included customers’ names, postal addresses, email addresses and payment card information.

UPS notified customers via its website, although the company said it “does not have sufficient customer information to contact potentially affected customers directly.”

So sorry

After so many data security incidents at retailers in the past year, from Target to Neiman Marcus, Michaels, and just recently P.F Chang’s and Supervalu, you would hope that the industry should be getting better at preventing attacks.

At the very least, companies should be figuring out how to effectively notify impacted customers.

A statement on 20 August from The UPS Store CEO Tim Davis makes it clear that he is taking responsibility for the data breach – including two words that we don’t often hear from CEOs: “I apologize.”

It’s unfortunate that UPS wasn’t able to reach out directly to affected customers, but the company seems to have done a good job of getting the word out on its website and giving customers the information they need to determine if they were victims.

The UPS Store website explains in a clearly worded FAQ exactly what happened, where it happened and over what time period, what data was stolen, and what to do.

Unlike some companies that dismiss security incidents with little more than a shrug – notably those in the tech sector such as Snapchat and Viber – retailers know that their very survival depends on maintaining customer trust that their financial data is safe when they use a credit card.

As Target has found out, it can take a long time to restore that lost trust, and the cost of a data breach includes damage to a brand that can be hard to calculate.

For the sake of his company – and his customers – let’s hope Davis’s apology is more than empty words.

Image of UPS seal courtesy of 360b /