Cyber Incident Victim: United Parcel Service
Date:
Feb 2022
Location:
Canada
Summary
A multinational shipping company experienced a data breach where attackers exploited online package tracking tools to access customer information, including names, addresses, phone numbers, and order details. This data was subsequently used in widespread SMS phishing campaigns impersonating legitimate shipments, primarily impacting Canadian recipients but also affecting customers globally. The unauthorized access occurred over an extended period before being detected, prompting the company to implement security restrictions on its tools. Internal investigations involved collaboration with delivery chain partners and law enforcement, with notifications sent to potentially affected individuals in Canada to raise awareness. The incident highlighted broader smishing trends targeting multiple industries and shippers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
UPS became aware of a data breach affecting Canadian customers after receiving reports of SMS phishing messages containing recipients' personal information between February 2022 and April 2023. The company determined that threat actors exploited its online package look-up tools to harvest delivery details, including recipient names, shipment addresses, phone numbers, and order numbers. This unauthorized access occurred despite UPS having these tools in place for legitimate tracking purposes. The compromised information was subsequently weaponized in smishing campaigns where attackers impersonated legitimate shipments from companies such as LEGO and Apple, demanding fraudulent payments for undelivered packages. While UPS confirmed the breach period spanned from February 1, 2022, to April 24, 2023, it acknowledged uncertainty regarding precise timelines of data misuse and stated only a "small group of shippers and some of their customers" were impacted. Online reports indicated the phishing attacks extended beyond Canada, with victims worldwide receiving personalized messages leveraging their exposed shipping data.
Following internal investigations, UPS collaborated with supply chain partners and law enforcement to identify the attack methodology and disrupt the phishing operation. The company implemented technical measures to restrict unauthorized access to sensitive customer information through its package tracking systems. UPS issued privacy incident notification letters to potentially affected individuals in Canada, though the exact number of compromised accounts remained undisclosed. These notifications emphasized transparency while advising customers to remain vigilant against fraudulent messages. The breach disclosure occurred in June 2023 through customer letters and subsequent media inquiries, with UPS publicly confirming the incident after BleepingComputer's report. The company directed customers to educational resources about phishing prevention but did not specify which additional brands were impersonated beyond LEGO and Apple in the malicious campaigns. Law enforcement agencies corroborated UPS's findings by noting a broader increase in smishing attacks targeting multiple shipping companies and industries during this period.