UPS struck by PoS malware

By Chad Hemenway on August 21, 2014

upsd-logo200x200United Parcel Service Inc. said 51 of its retail stores in 24 states have been infected by malware since the start of the year.

UPS said it hired an IT security firm to conduct a review of its systems after getting a bulletin from the Department of Homeland Security warning of a malware intrusion not identified by anti-virus software. The security firm discovered point-of-sale malware in 51 stores—about 1 percent of The UPS Store’s 4,470 locations in the US.

The affected stores were in Arizona, California, Colorado, Connecticut, Florida, Georgia, Idaho, Illinois, Louisiana, Maryland, Nebraska, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, South Dakota, Tennessee, Texas, Virginia and Washington.

Customers who used a credit card at the locations between January 20 and August 11 could have been exposed to the breach, said UPS. Names, addresses, email, and payment card information of customers may have been exposed. Most locations were infected by the malware after March 26.

“As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate the issue,” said Tim Davis, president of The UPS Store, Inc. “We have identified and fully contained the incident.”

UPS said “customers can shop securely at all The UPS Store locations.” The company said there is no evidence of fraud from the data breach and is offering identity protection and credit-monitoring services to customers who may have been affected.

A late July DHS advisory prepared in collaboration with the National Cybersecurity and Communications Integration Center, United States Secret Service, Financial Sector Information Sharing and Analysis Center, and Trustwave Spiderlabs warned of a newly identified malware dubbed “Backoff,” which has been associated with several point-of-sale breach investigations. This type of malware has “low to zero percent anti-virus detection rates.”

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or chemenway@advisen.com.