Data Breach-stricken UPS Unaware of PoS Malware for Months

Written by

Just as news of one large point of sale (PoS) hack begins to recede (see: Supervalu), another pops up to reclaim the headlines. This time the victim is shipping giant United Parcel Service (UPS), which has confirmed a long-running data breach at 51 of its UPS Stores, across 24 states.

While the number of affected stores only total about 1% of its more than 4,400 locations, as many as 105,000 customer transactions may have been compromised thanks to the sheer length of the malware infection: it ran between January and August of this year. The thieves are believed to have made off with names, postal addresses, email addresses and credit- and debit-card data.

Worryingly, the government alerted the company to the malware—UPS’ own systems did not detect it. UPS has since hired a security firm to review and upgrade its systems.

"As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident," said Tim Davis, president of the UPS Store subsidiary, in a statement.

However, the inability to catch the issue is, well, an issue. “The first malware infection recorded by UPS was on January 20, 2014 and lasted until August,” said Joshua Cannell, malware intelligence analyst at Malwarebytes Labs, in a comment to us. “In order to avoid detection for such a long period, a custom and highly-targeted piece of malware must have been used, as most traditional malware wouldn't survive a week without being detected by antivirus and anti-malware vendors. This type of malware is often produced by well-funded groups that carefully plan their attack by surveying weakness in the target and then building malware to exploit them.”

Also, the locations each run on independent private networks that are walled off from the corporate network, UPS said. This is the cause of some consternation—in previous breaches, the hackers were able to use a third-party contractor, unwitting insiders or some other means to enter the main network, and install PoS scraping software at individual locations from there. Clearly, the cybercriminals’ operation is evolving.

“This shows that sophistication of IT isn't an inoculation against a breach,” said Steve Hultquist, chief evangelist at RedSeal Networks. “The combination of complexity and continuous change--including both growth and technological advancement--mean that it's virtually impossible to be aware of all the potential paths of attack. It is critical for all enterprises to deploy not only reactive security analysis but also to use a cyber-attack prevention system to analyze their entire network as it is actually implemented to anticipate all potential paths and to provide guidance in plugging inappropriate holes. The situation will continue to expand and become more broad. Enterprises must take action to avoid being the next casualties.”

Overall, PoS breaches seem to be reaching epidemic levels, with a string of incidents dating back to last Thanksgiving hitting household name retailers: Supervalu grocery stores, Target, Neiman Marcus, PF Changs, and on and on. The New York Times cited a government source in reporting that the same group of Eastern European criminals are behind several of them.

Researchers had an air of exasperation in commenting on the incident. “How many more point of sale breaches need to occur industry-wide before consumers rise up and start demanding proactive protection surrounding their personal information prior to the purchasing of goods and services from a company?” Kyle Kennedy, CTO of STEALTHbits Technologies, told Infosecurity. “Is it time for a third-party service provider focused solely on financial transactions and securing the consumer’s personal information the answer for the consumer AND the retailer? Or is the risk of personal information potentially being breached so accepted by consumers that change isn’t possible?  I refuse to believe, as a consumer and a security executive, that change isn’t possible around one of the most fundamental components of business - the buying of goods and services via credit cards.”

Eric Chiu, president & co-founder of HyTrust, suggested that in the meantime, consumers need to be hyperaware of how they’re using their cards.

“Major breaches are being reported weekly, sometimes daily,” he said in an email. “Attackers are using sophisticated attacks to either compromise PoS systems at physical stores or branches as well as gaining access to corporate networks to siphon off millions of customer records in centralized systems in the core of the data center. Consumers need to…be careful who they do business with and what information they share on the Internet as well as keep an eye on their finances to identify if they might be a victim of a recent breach.”

What’s hot on Infosecurity Magazine?