UPS Store discovers malware intrusion; notifies customers at 51 franchise locations

From the uh-oh dept.:

UPS Store, on behalf of 51 franchise center locations writes:

We are writing to notify you of an incident that involves certain of your personal information. The UPS Store, Inc. (“The UPS Store”), among many other U.S. retailers, recently received a government bulletin regarding a broad-based malware intrusion targeting retailers in the United States. The UPS Store discovered malware identified in the bulletin on systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States. Upon receiving the bulletin, The UPS Store retained an IT security firm and conducted a review of its systems and the systems of its franchised center locations. As part of its response to this incident, The UPS Store has implemented various system enhancements and antivirus updates.

Based on the current assessment of The UPS Store and the IT security firm, we believe that certain personal information you provided in connection with establishing a MailBox Manager account at one of the impacted franchised center locations between January 20, 2014 and August 11, 2014 may have been exposed. For some center locations, the period of exposure to this malware began after January 20, 2014. The malware was eliminated as of August 11, 2014 and no longer presents a threat for customers shopping at The UPS Store locations in the United States. The customer information that may have been exposed in connection with the MailBox Manager accounts includes customers’ names, postal addresses, Social Security numbers and driver’s license numbers. In addition, we believe that your name, postal address, email address and payment card information may have been exposed to the extent you made credit or debit card purchases at the impacted franchised center locations during the same time period. Not all of this information may have been exposed for each customer. Based on the investigation, we think it is appropriate to notify you of the potential for data loss.

You can read the full notification here (pdf). Those affected are being offered free services with AllClear ID.

So it’s a good thing the government sent out a bulletin that UPS Stores personnel read and investigated. If they hadn’t,  this breach would have been even worse.

About the author: Dissent

6 comments to “UPS Store discovers malware intrusion; notifies customers at 51 franchise locations”

You can leave a reply or Trackback this post.
  1. Amazed Canuck - August 21, 2014

    Hmm, I’m curious about something, and after reading and checking out the links supplied by you (thanks for the info here) and UPS, I couldn’t find an answer… so here’s my question

    Many Canadians use the UPS store to cut down on shipping costs when ordering from the states. They open border town accounts with them (No clue if they have to supply SIN, similar to your SSN), drive over and pick up what they ordered.

    A quick glance shows 7 border states.

    Any Canadians affected by this? If so, were the Canadians notified? If so, why isn’t it mentioned on their website? If so, is their Canadian side credit motoring?

    Just curious…

    • Dissent - August 21, 2014

      I think there were two types of customers affected – those with Mailbox Manager accounts (which involve SSN) and those who just used their debit/credit cards to pay for services. UPS Store isn’t notifying any customers directly as they don’t have sufficient contact info.

      I’m not sure about whether the offer is good in Canada. I’ll try to find out.

      • Dissent - August 21, 2014

        Update: UPS Store’s Twitter team responded to my inquiry as to whether Canadian customers were eligible for the AllClear ID offer. They tweeted: “Yes, if they used a payment card at an affected store during relevant dates.”

        So that’s your answer and you can tell fellow Canadians that if their location is on the location list at http://www.theupsstore.com/security/Pages/default.aspx during the relevant dates, they can sign up.

  2. Amazed Canuck - August 21, 2014

    oh, don’t go out of your way. Was just curious about it. Have a couple of Canadian friends who use some sort of NY UPS drop-box where they have parcels (car parts) delivered to. They pick them up State side to save money on surcharges and shipping. I have no clue how the whole thing works really.
    (no clue if they circumvent Custom/Duty charges) 😉

    I guess it must be something like this:
    http://www.ups.com/content/us/en/resources/sri/umc_deliver_to_the_ups_store.html

    Was only curious. The release seems to indicate “shoppers”.

    • Dissent - August 21, 2014

      Already went out of my way, you bum. 🙂

      • Amazed Canuck - August 21, 2014

        oh. TY for the reply above, didn’t notice the update.
        Will let them know they should look into it.

        and, TY for going out of your way. I’ll be sure to make you go out of your way more often. :p

        Signed,

        The bum

Comments are closed.