UPS Discloses Data Breach That Went Undetected for Months
The recent spate of retail point-of-sale data breaches has claimed yet another victim. United Parcel Service publicly disclosed Aug. 20 that 51 of its stores had been breached.
The data breach was only recently discovered and was active from Jan. 20 to Aug. 11. That's a long time for attackers to be on systems undetected, collecting consumer credit card and other information.
UPS was unaware of the data breach until it read a government advisory about POS malware. In its disclosure, UPS does not specifically identify which government advisory they are referring to, but given the timing, it's likely to be one issued July 31.
That advisory details Backoff POS malware, which infects systems. In an interview with eWEEK Aug. 3, security firm Trustwave, which worked with the U.S. Secret Service to uncover Backoff, said that the malware affected 600 businesses.
At the Black Hat USA security conference earlier this month, Trustwave researchers demonstrated how Backoff works and how easily it can steal user information.
UPS has retained an unnamed IT security firm to assess the extent of the malware on its systems. "An assessment by The UPS Store and the IT security firm revealed the presence of this malware on computer systems at 51 locations in 24 states [about 1 percent] of 4,470 franchised center locations throughout the United States," UPS stated.
What's particularly interesting about the UPS disclosure is the fact that it was discovered only after the government advisory. UPS was unaware of the malware on its system for more than seven months, and likely would have been for much longer if it didn't take action now.
Although advisories often come out after attacks occur, this case proves they have value beyond just explaining what has already happened. In this case, the advisory helped UPS take action, and I suspect that other companies that have yet to make public disclosures are doing or have done the same, as well.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.