UPS says 51 stores infected with credit card stealing malware
Dozens of UPS stores across 24 states, including California, Georgia, New York, and Nebraska, have been hit by malware designed to suck up credit card details. The UPS Store, Inc., is a subsidiary of UPS, but each store is independently owned and operated as a licensed franchisee.
In an announcement posted Wednesday to its website, UPS said that 51 locations, or around one percent of its 4,470 franchised stores across the country, were found to have been penetrated by a “broad-based malware intrusion.” The company recorded approximately 105,000 transactions at those locations, but does not know the precise number of cardholders affected.
UPS did not say precisely how such data was taken, but given the recent breaches at hundreds of supermarkets nationwide, point-of-sale hacks at Target, and other major retailers, such systems would be a likely attack vector. Earlier this month, a Wisconsin-based security firm also reported that 1.2 billion usernames and passwords had been captured by a Russian criminal group.
UPS Store spokeswoman Chelsea Lee told Ars that the company was alerted to the potential intrusion based on a government bulletin issued by the Department of Homeland Security. After receiving that bulletin, UPS “retained an IT security firm and conducted a review of its systems and the systems of its franchised center locations.”
Ars asked UPS to provide a copy of this bulletin, and Lee said she would look into it. Ars has also filed a Freedom of Information Act request to gain a copy of this bulletin.
The company also said that anyone who used a credit card at any one of the 51 locations between January 20, 2014 and August 11, 2014 may be at risk—the malware was apparently “not present on the computing systems of any other UPS business entities.”
“I understand this type of incident can be disruptive and cause frustration,” Tim Davis, president of The UPS Store, said in a statement. “I apologize for any anxiety this may have caused our customers. At The UPS Store the trust of our customers is of utmost importance. As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident.”
UPDATE 8:11pm CT: One reader sent us a copy of the bulletin, which was distributed by the Department of Homeland Security and the United States Secret Service.
That document precisely matches an online alert dated July 31 and updated on August 18 from the United States Computer Emergency Readiness Team (US-CERT), along with technical analysis from Trustwave SpiderLabs. We were notified of these two links by a second Ars Technica reader.
“The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals,” the bulletin states. “Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems.”