UPS Reveals Data Breach

POS Malware Compromises 105,000 Transactions at 51 Stores
UPS Reveals Data Breach

UPS is warning that subsidiary UPS Stores suffered a point-of-sale malware attack that compromised numerous card transactions over a seven-month period. All told, 51 of its U.S. franchised center locations across 24 states were infected, which may have resulted in attackers compromising customers' personal information and payment card details, including some Social Security and driver's license numbers, thus placing them at risk of identity theft and fraud.

See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry

About 105,000 credit card and debit card transactions were compromised in the data breach, UPS spokeswoman Chelsea Lee tells Information Security Media Group. The number of customers affected has not been revealed.

Atlanta-based UPS is the world's largest express carrier and package delivery company, and also owns UPS Stores, which is a franchiser of almost 4,700 retail shipping stores in the United States, Puerto Rico and Canada. UPS says the breach began earlier this year - on January 20 for some locations, and by March 26 for the rest - and lasted until August 11, when the company says the breach was eradicated. About 1 percent of UPS Stores were breached, says UPS, which published a list of affected stores, including the breach inception date and duration.

"Customer information that may have been exposed includes customers' names, postal addresses, e-mail addresses and payment card information," says a breach FAQ published by UPS. "At this time, we are not aware of any reports of fraud associated with the potential data compromise." In a letter sent to some affected consumers, however, UPS also warns that anyone who signed up for one of its Mail Manager accounts may have also had their Social Security number and driver's license numbers compromised.

Internal Investigation Spots Breach

UPS says it began auditing all POS systems at UPS Stores for malware infections after receiving a July 31 government alert about a rise in POS malware attacks, including a number of Backoff variants designed to infect POS systems and steal credit and debit card data when cards are swiped. "As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident," says UPS Store president Tim Davis in a statement. "I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers."

UPS says each franchised store is individually owned and "runs an independent private network" that isn't connected to any other location's network. That suggests attackers hacked directly into each store's network to infect POS devices with the memory-scraping malware.

So far, however, UPS has declined to comment about whether the malware discovered on its systems by digital forensic investigators was Backoff. "We're still continuing the investigation," says Lee at UPS. "The reason we issued the notification now was to alert potentially impacted customers."

In a letter to customers, UPS says any customers who used a credit or debit card at the affected locations during the time period in which systems were infected by the POS malware will be given one year's worth of free identity theft and credit monitoring.

Government Backoff Alert

The July 31 Backoff: New Point of Sale Malware warning that spurred the UPS investigation was issued by the Department of Homeland Security, the U.S. Secret Service and the Financial Services Information Sharing and Analysis Center, or FS-ISAC. They said three different digital forensic investigations found cases where the Backoff malware was used to successfully infect POS systems, with attackers often sneaking the malware onto systems via businesses' remote-access portals.

According to the alert, attackers have been actively scanning for businesses that use remote-desktop applications such as Apple Remote Desktop, Chrome Remote Desktop, Join.me, LogMeIn, Microsoft's Remote Desktop, Pulseway, and Splashtop 2.

Chris Hague, a managing consultant at Trustwave who's investigated Backoff intrusions, says businesses that use remote-access tools must secure them using two-factor authentication. "In the cases we've reviewed, poor passwords with remote access were to blame," Hague says. "Many companies use remote access, and if you're not using two-factor authentication, it makes it easier for hackers to brute-force those passwords."

Watch for POS Malware

As the UPS breach highlights, POS malware attacks are tough to spot, unless businesses are looking for them. "Given that criminals have started to aggressively target POS in the past 8 to 12 months and that many companies may not have thought such systems at risk from malware, it is not unusual for a breach to go unnoticed for that period of time," Dublin-based cybersecurity consultant Brian Honan, who heads Ireland's computer security incident response team, tells Information Security Media Group.

Many POS systems, however, don't even run anti-malware tools. "Some POS systems may not have anti-virus installed on them, as they would not have been previously considered a target for malware," says Honan. Other attackers might also design targeted attacks that haven't ever been seen before, thus making them tough to stop.

That's just one reason why businesses that use POS terminals shouldn't rely on anti-virus alone to defend against these types of malware attacks. Another comes via the US-CERT July 31 advisory: "At the time this advisory is released, the variants of the 'Backoff' malware family are largely undetected by anti-virus vendors."

To help block these types attacks, US-CERT has published "indicators of compromise" that organizations can also monitor, including MD5 hashes of Backoff malware that's been recovered in previous attacks. Such hashes, however, wouldn't match any versions of existing malware that attackers repack, which means they alter the file slightly to result in a different hash, while keeping functionality intact. Likewise, brand-new versions of the malware wouldn't match existing MD5 hashes.

Takeaway: Warnings Work

One takeaway from the UPS hack attack is that the government's Backoff warning worked. "It's a good thing the government sent out a bulletin that UPS Stores' personnel read and investigated," says the blogger who goes by the name Dissent. "If they hadn't, this breach would have been even worse."

Honan, meanwhile, also lauds UPS for releasing a well-written data breach notification. "The information UPS Stores provided was excellent in that it was clear, concise, and easy to understand for their consumers, he says. "They also ensured there was a link on their homepage so that consumers knew where to get that information."

Target's Revenue Slump

In other data breach news, UPS announced its breach the same day that Target reported a second-quarter decline in net earnings of more than 60 percent, the third consecutive quarterly decline in profits. The slump comes after the massive data breach of Target's POS systems was discovered in December 2013. To date, Target has racked up an estimated $146 million in net expenses related to the breach.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network