updated 03:30 pm EDT, Thu August 21, 2014
Stores in 24 states affected by breach, spanned up to seven months in some cases
The UPS Store chain of delivery and packaging facilities has reported that a number of its stores have been the target of a "broad-based malware intrusion," adding that customer data could have been accessed. The United Parcel Service (UPS) subsidiary became aware of the breach on July 31, the same day that the Department of Homeland Security sent out notices regarding a malware called "Backoff," according to the New York Times.
After the company received the bulletin, it hired a security firm to look into its systems -- only to find that some of its 4,470 franchise locations were infected. A total of 51 stores in 24 states were hit with the malware, including Arizona, California, Colorado, Georgia and North Carolina. Digging deeper into the security breach, UPS Stores found that some of the stores saw the initial intrusion as early as January 20. While most intrusions weren't shown until March, the malware wasn't eliminated until August 11.
President of The UPS Store Tim Davis says that the company has "implemented various system enhancements and antivirus updates" since the attack was discovered. At this time, the company doesn't know of any reports of fraud as a result of the intrusion. However, the company is notifying customers that were potentially impacted by the system breach.
In the course of the breach, the chain believes that customers' information could have been exposed. This includes names, physical addresses, email address and potentially credit and debit card information. However, the company adds that not all customers may have had all of the information pieces exposed. As a result, the company is giving customers that were affected by the malware intrusion a free year of credit monitoring and identity protection through AllClearID.
"Please know we take our responsibility to protect customer information seriously, and have committed extensive resources to addressing this incident," said Davis. "We understand this type of incident can be disruptive, and apologize for any anxiety this may have caused."
A list of all of the stores affected by the breach is available at the UPS Store page. Customers that did business with any of 51 stores in the seven-month window are urged to contact the company. The company states that it doesn't have enough information to contact customers in some cases if a credit or debit card was used.