UPS said it is investigating a security breach that may have resulted in customers’ credit and debit card information being stolen at 51 of the shipping company’s nearly 4,500 U.S. stores.
In a letter to customers on Wednesday, the company said it worked with a computer security firm to review in-store computer systems at all UPS
locations and discovered malware in 51 locations, which are spread across 24 states and which represent roughly 1% of the company’s total locations. The UPS investigation stemmed from a recent government bulletin warning retailers that hackers had been remotely accessing retail systems to install malware that was going undetected by antivirus software.
Customers who used credit or debit cards at any of those stores between January 20 and August 11, 2014 – when the malware was discovered and eliminated – may have been exposed. The company says customers’ card information could have been revealed, along with their names, home addresses and email addresses.
“As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,” UPS president Tim Davis said in a statement.
Davis apologized to customers on Wednesday “for the anxiety this may have caused,” and he said the company will provide identity protection and credit monitoring services to all customers who made purchases at the affected stores while the malware was in effect.
With the announcement, UPS becomes just the latest U.S. company to admit that its computer security systems failed. In May, eBay
advised its users to change their passwords after the company became aware of a privacy breach that may have exposed some customer information. And, last year, Target
acknowledged a lapse in security that affected the personal information of 110 million people and cost the company $148 million in related claims.