The UPS Store breach - what went wrong and what UPS got right

Filed Under: Data loss, Featured, Malware

UPS apologizes for data breachData breaches at 51 UPS Stores in two dozen US states have put as many as 100,000 customers at risk of identity theft and credit card fraud, after malware was found on the stores' networks, the company said.

The UPS Store - a subsidiary of global shipping service UPS - said it began investigating after it received a bulletin from the US Department of Homeland Security warning of a "broad-based malware intrusion" targeting retailers.

It appears that the malware was on the stores' point-of-sale (PoS) registers, similar although not necessarily related to the attack on Target in late 2013.

UPS said that the network intrusions occurred between January and July of this year, and malware on the networks of the 51 affected stores (around 1% of the company's 4,470 franchise locations) was eliminated as of 11 August 2014.

Lost customer data included customers’ names, postal addresses, email addresses and payment card information.

UPS notified customers via its website, although the company said it "does not have sufficient customer information to contact potentially affected customers directly."

So sorry

After so many data security incidents at retailers in the past year, from Target to Neiman Marcus, Michaels, and just recently P.F Chang's and Supervalu, you would hope that the industry should be getting better at preventing attacks.

At the very least, companies should be figuring out how to effectively notify impacted customers.

A statement on 20 August from The UPS Store CEO Tim Davis makes it clear that he is taking responsibility for the data breach - including two words that we don't often hear from CEOs: "I apologize."

It's unfortunate that UPS wasn't able to reach out directly to affected customers, but the company seems to have done a good job of getting the word out on its website and giving customers the information they need to determine if they were victims.

The UPS Store website explains in a clearly worded FAQ exactly what happened, where it happened and over what time period, what data was stolen, and what to do.

Unlike some companies that dismiss security incidents with little more than a shrug - notably those in the tech sector such as Snapchat and Viber - retailers know that their very survival depends on maintaining customer trust that their financial data is safe when they use a credit card.

As Target has found out, it can take a long time to restore that lost trust, and the cost of a data breach includes damage to a brand that can be hard to calculate.

For the sake of his company - and his customers - let's hope Davis’s apology is more than empty words.

Image of UPS seal courtesy of 360b /

, , , , ,

You might like

3 Responses to The UPS Store breach - what went wrong and what UPS got right

  1. LonerVamp · 410 days ago

    +1 for also not trying to up-play the attackers by calling it a sophisticated attacker/operation, with the implied meaning that the attackers were above-and-beyond acceptable industry standards...

  2. So the hackers got "Lost customer data included customers’ names, postal addresses, email addresses and payment card information" but UPS can't figure out how to contact customers? Seriously?

    • Andrew Ludgate · 409 days ago

      Seriously. This implies that UPS is actually complying with PCI DSS for the most part, as they don't store the personal customer data. What happens in this sort of situation is that the attackers go after the information that is used for verification and the information that is sent via encrypted channel to the processor -- UPS never sees any of that.

      However, I'd think that in this sort of situation, the processor or the credit agencies or merchant bank (or all of the above) should be able to put out an advisory to their customers, if they have been notified of the affected terminals and the time range.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

John Zorabedian is a blogger, copywriter and editor at Sophos. He has a background in journalism, writing about technology, business, politics and culture. He lives and works in the Boston area.