Your friendly, neighborhood UPS store might have been hacked. UPS just confirmed that 51 stores across 24 states in the United States had malware capable of recording credit card information and sending it to third parties on its in-store cash registers. If you swiped your card at any of these, your details are probably being sold on the black market right now. UPS started investigating its system at the end of July after the Department of Homeland Security issued a warning to retailers about hackers trying to target remote access systems designed to allow employees to access corporate networks from afar.
UPS Stores, a subsidiary of UPS, said on Wednesday that a security breach may have led to the theft of customer credit and debit data at 51 UPS franchises in the United States. Chelsea Lee, a UPS spokeswoman, said the company began investigating its systems for indications of a security breach on July 31, the day The New York Times reported that the Department of Homeland Security and the Secret Service would be issuing a bulletin warning retailers that hackers had been scanning networks for remote access capabilities, then installing so-called malware that was undetectable by antivirus products. UPS hired an information security firm and discovered that the malware was on its in-store cash register systems at 51 of its locations in 24 states, roughly 1 percent of UPS’s 4,470 franchises throughout the United States. In a statement, the company said that customers who had used their debit or credit cards at affected locations, which are listed on the UPS website, from Jan. 20 to Aug. 11, 2014 may have been exposed to the malware, though it said exposure began after March 26 in most cases. UPS said it had eliminated the malware as of Aug. 11.