Logistics company UPS has admitted that it suffered a breach of user credit card data following a malware intrusion at 51 physical locations.
In a statement and letter to customers, president Tim Davis said that the malware was present at 51 locations of 4,470 franchised center locations throughout 24 states. Davis confirmed that as a response, it has implemented various system enhancements and antivirus updates and it worked with a security firm to eradicate the malware.
Based on its assessment, the period of exposure to this malware began after January 20th, 2014 and the malware was eliminated as of August 11th. Each franchised center location is individually-owned and runs independent private networks that are not connected to other franchised centre locations.
UPS confirmed that some customer information may have been exposed as a result of this malware intrusion, including customers’ names, postal addresses, email addresses and payment card information. Specifically affected are customers who made credit and debit card purchases at the impacted franchised center locations.
“Not all of this information may have been exposed for The UPS Store customers who used a credit or debit card at an impacted location during this period, the statement said. “At this time, we are not aware of any reports of fraud associated with the potential data compromise.”
Davis’ letter said: “Your trust is important to us. Based on the investigation, we feel it is critical to notify our customers of the potential data compromise.
“Please know we take our responsibility to protect customer information seriously and have committed extensive resources to addressing this incident. We understand this type of incident can be disruptive and apologise for any anxiety this may have caused.”
Kyle Kennedy, CTO of STEALTHbits Technologies, said: “How many more point of sale breaches need to occur industry wide before consumers rise up and start demanding proactiveprotection surrounding their personal information prior to the purc
hasing of goods and services from a company? Is it time for a third party service provider focused solely on financial transactions and securing the consumer’s personal information the answer for the consumer AND the retailer? Or is the risk of personal information potentially being breached so accepted by consumers that change isn’t possible?
“I refuse to believe, as a consumer and a security executive, that change isn’t possible around one of the most fundamental components of business – the buying of goods and services via credit cards.”