The UPS Store recently announced that hackers may have accessed the credit card information of customers who made purchases at any of 51 UPS Store locations in 24 U.S. states between Jan. 20, 2014 and Aug. 11, 2014.

The affected stores make up approximately one percent of the 4,470 franchised UPS Store locations in the United States. Bloomberg reports that about 105,000 transactions were affected in total.

The data potentially exposed includes customer names, mailing addresses, email addresses and payment card information.


The breach was discovered after the company received a U.S. government bulletin regarding a broad-based malware intrusion and hired an IT security firm to conduct a review of its systems.

"I understand this type of incident can be disruptive and cause frustration," Tim Davis, president of The UPS Store, Inc., said in a statement. "I apologize for any anxiety this may have caused our customers."

"As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue," Davis added. "Our customers can be assured that we have identified and fully contained the incident."

The company says the malware was eliminated as of Aug. 11, 2014, and all UPS Store locations are now secure.

In a FAQ on its website, the company stated: "The UPS Store does not have sufficient customer information to contact potentially affected customers directly. We have created this website as a resource for potentially affected customers, to determine if they may have used a credit or debit card at one of the affected UPS Store locations during the designated timeframe, and have provided broad public notification about the incident through media."

All potentially affected customers are advised to review their account statements and credit reports for fraudulent activity, and are being offered one free year of identity protection and credit monitoring services from AllClear ID.

Customers with questions are advised to contact the company (855) 731-6016.

Tripwire security analyst Ken Westin noted by email that the same type of malware was successfully used in the recent Target, Neiman Marcus and P.F. Chang's breaches. "This family of point-of-sale malware goes as far back as October 2013; it relies on scraping unencrypted credit card data from the memory of infected devices, much like previously seen malware," he said.

"The malware itself is sophisticated, but the method of intrusion is not," Westin added. "Attackers use publicly available scanning tools to detect point-of-sale systems running remote desktop applications, then they rely on application vulnerabilities or brute forcing to gain access to systems where they install the malware."

Trustwave threat intelligence manager Karl Sigler recently provided eSecurity Planet with a video demo of the Backoff PoS malware at the Black Hat USA 2014 conference in Las Vegas.

Tripwire CTO Dwayne Melancon said by email that the UPS Store breach illustrates the challenges of managing security in a distributed, lightly managed environment. "It is crucial that organizations adopt a consistent security standard, one they regularly assess to ensure their point of sale systems have not been compromised," he said.

"The general trend toward continuous monitoring and standardized configurations, along with security configuration management, is a positive step," Melancon added. "The challenge is implementing these controls quickly enough to make a difference."

This is the third major breach to be disclosed in the past week, following Supervalu's acknowledgement of a breach affecting a wide range of supermarkets including Acme Market, Cub Foods, Farm Fresh, Horbacher's, Jewel-Osco, Shaw's, Shop 'n Save, Shoppers and Star Markets; and Community Health Systems' announcement of a breach affecting approximately 4.5 million patients.

Photo courtesy of Shutterstock.