UPS Data Breach: What to Do Right Now

News
By published

What should you do if you're affected by the UPS data breach? Here's everything you need to know.

Credit: UPS

(Image credit: UPS)

A data breach at 51 UPS Stores has exposed the personal data of approximately 105,000 customer transactions that took place in 24 states. The malware involved appears to have had access to UPS customers' names, postal addresses, email addresses and credit- or debit-card data, The UPS Store (a wholly owned subsidiary of United Parcel Service) said in a statement posted online yesterday (Aug. 20).

The compromised retail stores make up slightly more than 1 percent of The UPS Store's 4,470 U.S. locations, which are all independently owned franchises, but that certainly won't make affected customers feel any better. If you used a debit or credit card between Jan. 20 and Aug. 11 of this year at one of the 51 affected stores, here's what you should do.

MORE: How to Survive a Data Breach

What to do if you think you're affected by the UPS data breach

Go to The UPS Store's website and check the list of affected stores. Most are located in Arizona, California, Georgia, Nevada and North Carolina, but other states, from New York to Washington, also have one or two breached stores. The UPS Store's list also includes the date that each individual store was infected by the malware; some weren't infected until April of this year.

Contact The UPS Store if you know, or think, that you've patronized a store on the list during the compromise window. The company is offering one year of free identity protection and credit monitoring to all impacted customers. To sign up, visit The UPS Store's Complementary Identity Protection page. You can also call The UPS Store with concerns at 1-855-731-6016.

Contact one of the three credit-reporting agencies — Equifax, Experian or TransUnion — to place a credit alert on your file. (The UPS Store has provided contact information on its website.) The agency you notify will contact the other two. You will be notified of all requests to access your credit file for a period of 90 days, after which you can renew the alert. (The UPS Store suggests that affected customers take the additional step of instituting a credit freeze, which denies all access to a file without the customer's permission, but costs the customer a small sum.) 

Contact your card issuer directly to inform it that one or more of your cards may be affected by the UPS data breach. Some card issuers may decide to issue new cards.

Personally monitor your own card activity for at least the next few weeks. Don't just wait for the monthly statement; instead, call the toll-free number on the back of the card every few days to check on balances and recent activity.

How the UPS data breach happened

For what it's worth, it appears that The UPS Store has handled the data breach well. The company's announcement of the breach disclosed the affected stores and dates of the breach, and added that the breach was carried out by a type of malware that current antivirus programs couldn't detect.

According to The UPS Store, the infection was discovered after it hired an independent security firm to conduct a review of its computer systems, following an advisory bulletin issued July 31 to retailers by the Department of Homeland Security and the U.S. Secret Service. The DHS/USSS bulletin warned that a new strain of point-of-sale malware called "Backoff" had appeared that was not detected by antivirus software.

Point-of-sale (PoS) malware infects "PIN pads," into which retail customers swipe their credit and debit cards, in order to capture card data. A different strain of PoS malware infected all of Target Corporation's U.S. retail stores last fall, resulting in the compromise of 40 million credit and debit cards.

The UPS Store did not explicitly state that Backoff had been found on its systems, but the description of the malware's capabilities provided by the company matched those given in the DHS/USSS bulletin.

It's unlikely that The UPS Store will be the last company to find Backoff on its systems, or to suffer a compromise of customer card data as a result of the current outbreak. We may hear more notifications of Backoff-related data breaches in the coming weeks.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

See more Computing News
Jill Scharr

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects. 

Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
Nintendo Switch 2
Nintendo Switch 2 tipster may have just leaked release month and launch plans
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in "High Rise" now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features
More about online security
23andME box

23andMe has declared bankruptcy — here's how to delete your data now

A man filing his taxes electronically on a laptop

AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
Nintendo Switch 2

Nintendo Switch 2 tipster may have just leaked release month and launch plans
See more latest
Most Popular
Nintendo Switch 2
Nintendo Switch 2 tipster may have just leaked release month and launch plans
COLUMBUS, OHIO - JANUARY 26: Amber Glenn skates in the Women's Free Skate during the U.S. Figure Skating Championships at Nationwide Arena on January 26, 2024 in Columbus, Ohio. (Photo by Matthew Stockman/Getty Images)
How to watch World Figure Skating Championships 2025: live streaming, schedule, what TV channel?
Disney Plus logo
Disney Plus upgrade just fixed one of my biggest problems with the home page
Tom Hiddleston as Robert Laing in "High Rise" now streaming on Netflix
5 best Netflix movies in March you haven't watched yet
Split image featuring the Galaxy S25 Edge (left) and Galaxy S25 Ultra (right)
Samsung Galaxy S25 Edge just tipped for two Galaxy S25 Ultra-level features
iPhone 16 with Apple Intelligence logo for iOS 18.1
iOS 18.4: All the newest Apple Intelligence features coming to your iPhone
Maria Debska in "Just One Look" now streaming on Netflix
3 best Netflix shows in March you haven't watched yet
Wolfenstein: The Old Blood
Amazon is giving away a ton of free games for its Big Spring Sale — here’s how to claim yours
Park Ji-hoon in "Park Ji-hoon" now streaming on Netflix
Netflix just added this action-packed drama ahead of season 2 — and viewers rate it 96% on Rotten Tomatoes
Dark Side of the Ring
How to watch 'Dark Side of the Ring' season 6 online — stream wrestling doc from anywhere