UPS Hit by Data Breach Company Doesn't Know How Many Customers Were Affected, Only the Number of Transactions. Wall Street Journal By Laura Stevens
Aug 25, 2014United Parcel Service said 51, or about 1%, of its UPS Stores were recently affected by a data breach.
Bloomberg News
United Parcel Service Inc. UPS said Wednesday that a data breach at 51 of its UPS Stores may have compromised data on approximately 105,000 customer transactions between January and August.
Customers won't receive individual notification letters because the company doesn't have all cardholder data, a UPS spokesman said. Customers will need to check the UPS Store Inc.'s website to see if they have shopped at a store that might have been affected. The company said it doesn't know how many customers might have been affected—only the number of transactions.
The data breach was limited to the affected stores—about 1% of its more than 4,400 UPS Stores—which run on independent private networks, UPS said. The data breach affected stores in 24 states, including California, Florida, Texas and New York. Other parts of the UPS network weren't affected.
UPS described the breach as being related to malicious software that may have resulted in stolen customer information, including names, postal addresses, email addresses and credit- or debit-card data.
The stores, which are individually owned as franchises, eliminated the malware on Aug. 11, and UPS says it has no evidence of fraud as a result of the breach.
"As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident," said Tim Davis, president of the UPS Store subsidiary.
UPS has set up an information website and will offer identity- protection and credit-monitoring services to any customers who may be affected.
The data breach is the latest in a string of intrusions at retailers such as Target Corp. TGT -0.11% , Neiman Marcus Group and grocery chain Supervalu Inc., SVU -1.22% and restaurant chain P.F. Chang's China Bistro Inc. Typically, a malicious software attacks the point-of-sale, capturing data when a card is swiped for payment. The attack on Target compromised tens of millions of credit and debit accounts over the holidays last year.
The rise in data breaches has intensified pressure on banks and retailers to introduce a new generation of credit cards embedded with microchips, which are designed to be more secure. Already widely in use in Europe and other parts of the world, chip cards scramble the data as a transaction occurs.
UPS said it recently received a notification from the government alerting it to the malware, which it said wasn't detectable by then-current antivirus software. UPS then hired a security firm to review its systems, prompting the discovery.
Write to Laura Stevens at laura.stevens@wsj.com