UPS Store discovers malware intrusion; notifies customers at 51 franchise locations

From the uh-oh dept.:

UPS Store, on behalf of 51 franchise center locations writes:

We are writing to notify you of an incident that involves certain of your personal information. The UPS Store, Inc. (“The UPS Store”), among many other U.S. retailers, recently received a government bulletin regarding a broad-based malware intrusion targeting retailers in the United States. The UPS Store discovered malware identified in the bulletin on systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States. Upon receiving the bulletin, The UPS Store retained an IT security firm and conducted a review of its systems and the systems of its franchised center locations. As part of its response to this incident, The UPS Store has implemented various system enhancements and antivirus updates.

Based on the current assessment of The UPS Store and the IT security firm, we believe that certain personal information you provided in connection with establishing a MailBox Manager account at one of the impacted franchised center locations between January 20, 2014 and August 11, 2014 may have been exposed. For some center locations, the period of exposure to this malware began after January 20, 2014. The malware was eliminated as of August 11, 2014 and no longer presents a threat for customers shopping at The UPS Store locations in the United States. The customer information that may have been exposed in connection with the MailBox Manager accounts includes customers’ names, postal addresses, Social Security numbers and driver’s license numbers. In addition, we believe that your name, postal address, email address and payment card information may have been exposed to the extent you made credit or debit card purchases at the impacted franchised center locations during the same time period. Not all of this information may have been exposed for each customer. Based on the investigation, we think it is appropriate to notify you of the potential for data loss.

You can read the full notification here (pdf). Those affected are being offered free services with AllClear ID.

So it’s a good thing the government sent out a bulletin that UPS Stores personnel read and investigated. If they hadn’t,  this breach would have been even worse.

About the author: Dissent