United Parcel Service has released a breach notification to customers who used payment cards during the last seven months at UPS stores that their personal information may have been stolen. An internal audit inspired by the DHS “Backoff” malware warning in July led to the discovery of malware in UPS Store POS. 105,000 debit and credit cards across 24 states are compromised.
The malware was likely planted through remote access software. On July 31 the Department of Homeland Defense and Security report on “Backoff” malware cautioned anyone in the financial sector using explorer.exe processes that they are vulnerable to an attack. This has implications not only for retailers and POS users, but for anyone using remote access software. Vulnerable applications include Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, SplashTop, LogMEIn, and Join.Me.
Global Workplace Analytics reported that more than three million employees telecommuted in 2012, a number that has increased exponentially with the proliferation of mobile devices since then. Vulnerable remote access software is still widely used.
FAQ on the UPS website says: “Customer information that may have been exposed includes customers’ names, postal addresses, email addresses, and payment card information. At this time, we are not aware of fraud associated with the potential data compromise.”
UPS has released a list of locations named in the breach here.