UPS Discloses Credit Card Breach At 51 Retail Locations


UPS Store Inc. is the latest retailer to suffer a credit card breach, revealing Wednesday that investigators have discovered malware at 51 retail locations in 24 states that exposed sensitive customer and credit card data.

The San Diego-based company, which manages 4,400 The UPS Store franchise locations for the global shipping firm, said customer names, postal addresses, email addresses and payment card information may have been exposed between Jan. 20 and Aug. 11. A UPS Store breach information website contains a list of impacted locations in each state and affected customers can apply for one year of free identity protection and credit monitoring.

"Not all of this information may have been exposed for each customer," said Tim Davis, CEO of UPS Store Inc., in a statement. "As part of our response to this incident, we have implemented various system enhancements and antivirus updates."

[Related: 10 Costly Mistakes That Lead To Credit Card Breaches]

UPS is the latest in a long line of retailer breaches that involved memory-scraping malware on point-of-sale system terminals. The United States Computer Emergency Readiness Team issued an alert in July warning retailers that investigators found many of the malware infections stemming from systems connected to remote desktop applications. Cybercriminals have had success exploiting vulnerabilities in remote access software or gaining access by simply brute-forcing the login features, which are often protected with weak and default passwords, US-CERT said in the advisory.

"After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale malware and subsequently exfiltrate consumer payment data," according to the US-CERT advisory.

One widespread malware variant is Backoff, according to forensics investigators at Trustwave Spiderlabs, which have investigated a slew of retail data breaches in recent months. The cybercriminals behind the attacks tested the Backoff malware thoroughly against antivirus software to enable it to evade detection. Over a seven-month period, malware analysts identified five versions of Backoff.

"Fully updated antivirus engines on fully patched computers could not identify the malware as malicious," the US-CERT said in its advisory.

The advisory recommends retailers implement hardware-based point-to-point encryption, a protection that can be very costly as it involves multiple payment terminals, according to Nir Valtman, co-founder and chief technology officer of security testing firm Crowdome, who spoke about retail security earlier this month at the Black Hat security conference in Las Vegas.

NEXT: Solution Providers Helping Assess Retailer Systems