United Parcel Service Inc. (NYSE:UPS) said Wednesday that customers who swiped their credit or debit cards at 51 out of the company’s 4,470 locations around the United States may have had their information stolen.
Atlanta-based UPS said that malware was found at about 1 percent of its franchise locations across the U.S., and potentially affected customers would have conducted business at the locations from Jan. 20 through Aug. 11. Most of the locations were exposed to the malware after March 26, and it was eliminated at all locations as of Aug. 11, UPS said. The company said that about 105,000 transactions were involved, but it hasn't said how many customers were affected. UPS did say the breach may have been limited -- each individually-owned franchise operates on its own network. That arrangement “definitely helped,” UPS Store spokeswoman Chelsea Lee told Bloomberg News.
“I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers. At the UPS Store, the trust of our customers is of utmost importance,” the UPS Store President Tim Davis said in a statement. “As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue.”
UPS said it discovered the breach when a government bulletin notified it and several other U.S. retailers of a broad-based malware intrusion not detected by antivirus software. UPS Store said that the customer information that may have been exposed includes names, postal addresses, email addresses and payment card information. Not all information may have been exposed for each customer, it said.
UPS, the world's largest package-shipping company, joins several major companies that have had their customers' card information stolen in recent years, including Target Corp. (NYSE:TGT), which said thieves stole credit card numbers and other personal information from at least 70 million of its customers last holiday shopping season.
UPS Store is offering identity protection and credit monitoring programs for one year at no charge to customers who may have been affected, Lee said. The company has also provided a list of affected stores, including locations and dates of when the malware was present on register machines.