UPS Discloses Credit Card Breach At 51 Retail Locations

UPS Store Inc. is the latest retailer to suffer a credit card breach, revealing Wednesday that investigators have discovered malware at 51 retail locations in 24 states that exposed sensitive customer and credit card data.

The San Diego-based company, which manages 4,400 The UPS Store franchise locations for the global shipping firm, said customer names, postal addresses, email addresses and payment card information may have been exposed between Jan. 20 and Aug. 11. A UPS Store breach information website contains a list of impacted locations in each state and affected customers can apply for one year of free identity protection and credit monitoring.

"Not all of this information may have been exposed for each customer," said Tim Davis, CEO of UPS Store Inc., in a statement. "As part of our response to this incident, we have implemented various system enhancements and antivirus updates."

[Related: 10 Costly Mistakes That Lead To Credit Card Breaches]

UPS is the latest in a long line of retailer breaches that involved memory-scraping malware on point-of-sale system terminals. The United States Computer Emergency Readiness Team issued an alert in July warning retailers that investigators found many of the malware infections stemming from systems connected to remote desktop applications. Cybercriminals have had success exploiting vulnerabilities in remote access software or gaining access by simply brute-forcing the login features, which are often protected with weak and default passwords, US-CERT said in the advisory.

"After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale malware and subsequently exfiltrate consumer payment data," according to the US-CERT advisory.

One widespread malware variant is Backoff, according to forensics investigators at Trustwave Spiderlabs, which have investigated a slew of retail data breaches in recent months. The cybercriminals behind the attacks tested the Backoff malware thoroughly against antivirus software to enable it to evade detection. Over a seven-month period, malware analysts identified five versions of Backoff.

"Fully updated antivirus engines on fully patched computers could not identify the malware as malicious," the US-CERT said in its advisory.

The advisory recommends retailers implement hardware-based point-to-point encryption, a protection that can be very costly as it involves multiple payment terminals, according to Nir Valtman, co-founder and chief technology officer of security testing firm Crowdome, who spoke about retail security earlier this month at the Black Hat security conference in Las Vegas.

NEXT: Solution Providers Helping Assess Retailer Systems

Solution providers say merchants of all sizes are struggling to gain control over myriad interconnected IT systems and the added complexity from remote maintenance services that need to access them. Organizations already have added layers of security, but there is a growing need to tie the various layers together, said Bob Coppedge owner of Hudson, Ohio-based managed service provider Simplex-IT.

"We've got entire data designs that really aren't as well thought out as we thought," Coppedge said. "The default has been that connectivity is a good thing, accessing data and services are a good thing, and the more access and connectivity the better. But, as a result, you have a lot of retrofitting of security that is both strategic and tactical."

Remote management software has long been identified as a weak point targeted by cybecriminals to gain access to payment system terminals. The FBI issued a retail breach alert in January indicating that remote access software was the initial point of entry for the massive breach at retail giant Target and a similar security breach at Neiman Marcus.

Since the Target breach, solution providers have been working with merchants to assess system integrity and ensure that segmented payment system environments are continually maintained. In addition to Target, P.F. Chang's China Bistro said point-of-sale system malware was used to steal credit cards at its restaurants. Michaels Stores and Sally Beauty also were impacted by similar memory-scraping malware.

The Payment Card Industry Data Security Standards Council, the payment industry organization that maintains the PCI-DSS standards to protect cardholder data, added stronger language in its third revision that took effect in January, encouraging merchants to actively maintain PCI compliance throughout the year. The document calls for stronger authentication measures and thorough penetration testing to ensure payment systems are properly segmented and isolated from other systems on the corporate network.

A new guidance document (.PDF) issued by the council this month provides recommendations to properly evaluate the security of third-party providers, including managed security service providers, IT resellers and consultants.

PUBLISHED AUG. 21, 2014