A data breach at 51 UPS Stores has exposed the personal data of approximately 105,000 customer transactions that took place in 24 states. The malware involved appears to have had access to UPS customers' names, postal addresses, email addresses and credit- or debit-card data, The UPS Store (a wholly owned subsidiary of United Parcel Service) said in a statement posted online yesterday (Aug. 20).
The compromised retail stores make up slightly more than 1 percent of The UPS Store's 4,470 U.S. locations, which are all independently owned franchises, but that certainly won't make affected customers feel any better. If you used a debit or credit card between Jan. 20 and Aug. 11 of this year at one of the 51 affected stores, here's what you should do.
What to do if you think you're affected by the UPS data breach
Go to The UPS Store's website and check the list of affected stores. Most are located in Arizona, California, Georgia, Nevada and North Carolina, but other states, from New York to Washington, also have one or two breached stores. The UPS Store's list also includes the date that each individual store was infected by the malware; some weren't infected until April of this year.
Contact The UPS Store if you know, or think, that you've patronized a store on the list during the compromise window. The company is offering one year of free identity protection and credit monitoring to all impacted customers. To sign up, visit The UPS Store's Complementary Identity Protection page. You can also call The UPS Store with concerns at 1-855-731-6016.
Contact one of the three credit-reporting agencies — Equifax, Experian or TransUnion — to place a credit alert on your file. (The UPS Store has provided contact information on its website.) The agency you notify will contact the other two. You will be notified of all requests to access your credit file for a period of 90 days, after which you can renew the alert. (The UPS Store suggests that affected customers take the additional step of instituting a credit freeze, which denies all access to a file without the customer's permission, but costs the customer a small sum.)
Contact your card issuer directly to inform it that one or more of your cards may be affected by the UPS data breach. Some card issuers may decide to issue new cards.
Personally monitor your own card activity for at least the next few weeks. Don't just wait for the monthly statement; instead, call the toll-free number on the back of the card every few days to check on balances and recent activity.
How the UPS data breach happened
For what it's worth, it appears that The UPS Store has handled the data breach well. The company's announcement of the breach disclosed the affected stores and dates of the breach, and added that the breach was carried out by a type of malware that current antivirus programs couldn't detect.
According to The UPS Store, the infection was discovered after it hired an independent security firm to conduct a review of its computer systems, following an advisory bulletin issued July 31 to retailers by the Department of Homeland Security and the U.S. Secret Service. The DHS/USSS bulletin warned that a new strain of point-of-sale malware called "Backoff" had appeared that was not detected by antivirus software.
Point-of-sale (PoS) malware infects "PIN pads," into which retail customers swipe their credit and debit cards, in order to capture card data. A different strain of PoS malware infected all of Target Corporation's U.S. retail stores last fall, resulting in the compromise of 40 million credit and debit cards.
The UPS Store did not explicitly state that Backoff had been found on its systems, but the description of the malware's capabilities provided by the company matched those given in the DHS/USSS bulletin.
It's unlikely that The UPS Store will be the last company to find Backoff on its systems, or to suffer a compromise of customer card data as a result of the current outbreak. We may hear more notifications of Backoff-related data breaches in the coming weeks.
- Best Android Antivirus Software 2014
- What to Do If Your Social Security Number Is Stolen
- Mobile Security Guide: Everything You Need to Know
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.