Over 50 UPS Stores Hit by Data Breach, Exposing Personal Card Information
On Thursday, August 21 I received the following email on a data breach alert from BillGuard®, a personal finance protection platform that actively tracks spending and alerts regarding deceptive or unwanted charges:
We’re reaching out to notify you that a recent transaction of yours – a purchase at United Parcel Service (UPS) – may have exposed your financial details. UPS announced last night that it believes some nationwide UPS Store customers had credit and debit card information compromised from a malicious virus found on UPS payment systems.
According to UPS, a malware attack affected 51 stores in 24 states exposing customer’s personal data including payment card info, names, postal addresses and email addresses. UPS believes that the data breach impacted around 100,000 transactions. UPS has provided a detailed list of the stores as well as the malware intrusion date and transactions date.
President of the UPS Store, Tim Davis, apologized in a statement for any anxiety the theft may have caused customers. He said “the company had deployed extensive resources to quickly address and eliminate this issue.”
The UPS Store is part of a franchise and all run on separate computer systems, which may have prevented the attack from getting worse. UPS claims the bug wasn’t found in any other stores.
It’s not the first time I’ve received an email about a data breach of some sort this year. In fact, I’ve been getting a lot of these lately. And social media has been flooded with similar stories and now is labeling 2014 as the “Year of the Hack.” According to CNNMoney, 110 million Americans had their personal data exposed in the last 12 months – that’s half of the nation’s adults.
Firestorm reported the massive Target data breach back in December 2013. Over 40 million people were impacted and resulted in the company’s CEO, Gregg Steinhafel, stepping down. Since then, it has been quite a feeding frenzy for hackers. Here’s a brief list of some of the biggies this year:
- 3.2 million stolen credit and debit cards from Adobe users
- Michaels had 3 million payment cards used
- 4.6 million Snapchat users had account data breached
- 1.1 million cards were taken from Neiman Marcus
- 120 million of AOL’s account holders
- EBay’s 148 million customer credentials breached
- The most recent news of powerhouse retailer, Home Depot, falling victim to cybercrime, causing stock to drop two percent in just a day.
But while it’s obvious that there are many external dangers, it might be what’s inside your business that you have to worry about. The latest research indicates, whether malicious or accidental, that more hacks are occurring inside an organization rather from outside. Think about it, if it can happen to the National Security Agency, it can happen to you. Edward Snowden convinced dozens of co-workers at the NSA to hand over usernames and passwords as part of his job as computer systems administrator. And they did without question. Why not, he was the IT guy. In fact, this type of breach now has a name – The Edward Snowden Effect.
According to a recent Forester Research report, “Understand the State of Data Security and Privacy,” 25 percent of survey respondents said abuse by a malicious insider was the most common way in which a breach occurred in the past year at their company. Thirty-six percent of breaches were caused by employee mistakes, however, making it the current top cause of most data breaches.
Data breaches are among the most common and costly security failures in any business no matter what size – small, medium size or large. Studies show that companies go under attack an average of nearly 17,000 times a year. Here are some other sobering statistics:
- A data breach can cost an organization an average of $7.2 million. Ponemon Institute “2010 US Cost of a Data Breach”
- 59 percent of IT workers have experienced two or more data breaches in the past 12 months at their own organizations. Ponemon Institute, “Perceptions About Network Security” (2011)
- 50 percent of breaches occur through hacking and 40 percent involve malware. 2011 Verizon Data Breach Investigations Report
It’s evident that the risk is out there and preventing attacks takes some due diligence on the part of both consumers and companies. As we say at Firestorm, luck isn’t a strategic plan. If you’ve been lucky so far, don’t think you are immune in the future. Data privacy is more than just credit card information these days. It’s phone numbers, emails, addresses and any personal information that you are supplying as part of loyalty programs, phone apps, travel sites, online pharmacy’s and more.
A data breach doesn’t have to be malicious; it can take one angry employee or one accidental opening of a suspicious email to set your company up for a costly attack. Now is the time to take a stand. Both consumers and companies need to begin arming themselves with the best protection. And that goes for any of your organization’s outside vendors. The Target breach resulted in a third party vendor, a heating/air conditioning and refrigeration firm, when an employee accidentally opened an email malware virus. It should be company policy that “if you want to do business with us, you need to be protected.”
It’s clear that we haven’t quite learned our lesson from this year’s continuous stream of hacks. So whether it’s your personal data or your company’s critical information, bottom line is that we all need to be aware of the threats and prepare for the inevitable. That’s why at Firestorm we believe in the PREDICT.PLAN.PERFORM.® approach. This means identifying your vulnerabilities and putting in place procedures and policies to monitor, plan, mitigate and train for impacts in the event of crises. It’s time to find ways to put a plug in a possible breach.