The list of corporations that have been victimized by credit card stealing malware in 2014 grew a little longer this week as UPS announced that 51 of its stores suffered a “broad-based malware intrusion” earlier this spring.
The company disclosed the breach – which affected franchised locations of The UPS Store – Wednesday in a press release on its site.
UPS claims it recently received a government bulletin regarding malware “not identified by current antivirus software” and retained an IT security firm to do a review of its systems. The search yielded the aforementioned, unnamed malware, which UPS states could impact any customers who used a credit or debit card at some of its stores over a certain time period.
As is to be expected with any potential credit card breach, some and potentially all of users’ payment card information, email addresses, postal addresses and names may have been exposed by the incident.
“I understand this type of incident can be disruptive and cause frustration,” Tim Davis, President of the The UPS Store, Inc. said Wednesday, “I apologize for any anxiety this may have caused our customers.”
Users were exposed to the malware from at least Jan. 20 to Aug. 11, but UPS is clarifying that for most locations, the malware began after March 26.
“The malware was eliminated as of August 11, 2014 and customers can shop securely at all The UPS Store locations,” the announcement goes on to state.
The affected stores span across 24 different states, only account for one percent of UPS’ 4,470 franchised center locations. Impacted locations include stores in North Carolina, Nevada, New Jersey, California and Georgia. The full list, along with the time frame users were exposed to malware, can be found here.
As is par for the course with breaches like these, UPS is insisting that it has no proof of fraud from the incident so far, but just in case, is offering identity protection and credit monitoring services for any affected.
While UPS didn’t reveal much about the type of “broad-based malware intrusion” it suffered, it’s assumed, especially in the wake of point of sale terminal attacks at Target, Albertson’s, Neiman Marcus and Michael’s, that UPS’ systems were targeted in a similar fashion.
At least in Target’s case, attackers were able to infiltrate the company’s systems, inject the RAM scraper malware into running processes and swipe card data before it was encrypted.
While this week’s Community Health System breach was eventually traced back to a Heartbleed vulnerability, Aviv Raff, Seculert’s CTO and Chief Researcher, acknowledged a similarity between the two breaches. Both illustrate how persistent attackers can be after they’ve successfully planted their attack tool.
“As UPS basically admits that the attackers were in their systems, undetected for 4-8 months, it shows the necessity of Enterprises to start using security tools that are able to detect attacks not just in real time, but more importantly – over time,” Raff said Wednesday.
*UPS Store image via theghostofgraingertown‘s Flickr photostream, Creative Commons