Cyber Incident Victim: United Parcel Service
Date:
Sep 2019
Location:
United States of America
Summary
A phishing incident compromised email accounts at a small percentage of UPS Store locations, potentially exposing sensitive customer information including names and other personally identifiable details depending on documents within affected emails. The breach impacted approximately 100 franchise stores, representing less than two percent of the company's U.S. network, with unauthorized access occurring over several months. While no point-of-sale systems were involved, the investigation revealed customer data within the compromised email accounts. Affected individuals were offered complimentary credit monitoring services for two years. This event followed an earlier unrelated malware incident at some locations years prior, though no fraud was linked to that previous occurrence. The company implemented enhanced security measures following the phishing attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The UPS Store phishing incident unfolded between September 29, 2019, and January 13, 2020, compromising email accounts at approximately 100 U.S. franchise locations—representing less than two percent of the company’s 5,000 domestic centers. Attackers gained unauthorized access through phishing campaigns targeting store employees, though the specific phishing methods were not detailed in public disclosures. During subsequent forensic reviews, investigators discovered that compromised email accounts contained sensitive customer information, including Personally Identifiable Information such as names. The exact scope of exposed data varied by individual case, depending on the documents and communications stored within each breached mailbox. The incident did not affect point-of-sale systems, corporate networks, or transactional databases, limiting the breach to localized email account compromises. No evidence suggested fraudulent misuse of the accessed data during the investigation period. The company acknowledged that only a "very small fraction" of customers across the impacted stores had their information exposed, though precise numbers were not disclosed. This marked the second significant cybersecurity event for the franchise chain, following a 2014 malware incident at 51 locations that potentially exposed payment card details and contact information.
Upon detecting the phishing campaign, The UPS Store initiated an investigation to identify compromised accounts and assess data exposure. Forensic analysts confirmed the presence of customer PII within affected mailboxes, prompting notifications to individuals whose information was identified in the review. Impacted customers received complimentary 24-month subscriptions to Experian IdentityWorks for credit monitoring and identity theft protection. The company emphasized ongoing efforts to enhance security protocols and employee training to mitigate future phishing risks but did not specify technical or procedural changes implemented. Public statements from UPS representatives clarified that the breach remained confined to email systems and reiterated the franchise model’s operational independence, noting each store manages its own communications and document retention. No regulatory fines or legal actions were referenced in disclosures, and the incident did not disrupt retail operations or shipping services. The resolution timeline aligned with standard breach notification practices, concluding customer alerts and remediation offers within weeks of the investigation’s completion.