Local networks of 51 UPS Store outlets in 24 states have been infected with a virus which steals customers’ credit and debit card numbers and personal data. The perpetrators could have been collecting information for over six months.
The hackers who infected United Parcel Service (UPS) Stores with the virus could possibly have been harvesting data from January 20 to August 11, with most of the attacks taking place in April. Up to 105,000 transactions were affected, UPS said in a statement.
The organizers of the attack are likely to have stolen credit and debit card numbers as well as information about their holders’ personal data.
The malware used has never been exposed before so antivirus programs failed to pick it up to prevent “broad-based malware intrusion,” said UPS in a statement issued on Wednesday.
“For most locations, the period of exposure to this malware began after March 26, 2014,” UPS said in a statement, stressing that infected individually-owned locations used to have non-connected networks and that UPS’ own corporate systems have not been infected.
A total of 51 UPS Stores out of 4,470, or about 1 percent, were infected.
The virus was finally detected and eliminated after federal investigators notified UPS Store about possible intrusion, forcing the franchise to review its systems.
“I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers. At The UPS Store the trust of our customers is of utmost importance,” maintained UPS Store President Tim Davis in a statement.
“As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,” he said.
So far there is no information about whether the hackers have used the obtained data to get access to the financial assets of UPS Store customers.
The data breach has become the biggest one in UPS history and will cost the company no less than $111 million, ZDNet reported.
The data security breach at the UPS Store is the third one of its kind over the last week, with grocery store chain Supervalu and hospital network Community Health Systems announcing the detection of malicious intrusions into their databases.
Supervalu has had account data from its 180 stores exposed to malefactors while Community Health Systems had personal data of about 4.5 million patients stolen, including Social Security numbers, birth dates and phone numbers.