UPS is warning that subsidiary UPS Stores suffered a point-of-sale malware attack that compromised numerous card transactions over a seven-month period. All told, 51 of its U.S. franchised center locations across 24 states were infected, which may have resulted in attackers compromising customers' personal information and payment card details, thus placing them at risk of identity theft and fraud.

About 105,000 credit card and debit card transactions were compromised in the data breach, UPS spokeswoman Chelsea Lee tells Information Security Media Group. The number of customers affected has not been revealed.

Atlanta-based UPS is the world's largest express carrier and package delivery company, and also owns UPS Stores, which is a franchiser of almost 4,700 retail shipping stores in the United States, Puerto Rico and Canada. UPS says the breach began earlier this year - on January 20 for some locations, and by March 26 for the rest - and lasted until August 11, when the company says the breach was eradicated. About 1 percent of UPS Stores were breached, says UPS, which published a list of affected stores, including the breach inception date and duration.

"Customer information that may have been exposed includes customers' names, postal addresses, e-mail addresses and payment card information," says a breach FAQ published by UPS. "At this time, we are not aware of any reports of fraud associated with the potential data compromise."

Internal Investigation Spots Breach

UPS says it began auditing all POS systems at UPS Stores for malware infections after receiving a July 31 government alert about a rise in POS malware attacks, including a number of Backoff variants designed to infect POS systems and steal credit and debit card data when cards are swiped. "As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident," says UPS Store president Tim Davis in a statement. "I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers."

UPS says each franchised store is individually owned and "runs an independent private network" that isn't connected to any other location's network. That suggests attackers hacked directly into each store's network to infect POS devices with the memory-scraping malware.

So far, however, UPS has declined to comment about whether the malware discovered on its systems by digital forensic investigators was Backoff. "We're still continuing the investigation," says Lee at UPS. "The reason we issued the notification now was to alert potentially impacted customers."

In a letter to customers, UPS says any customers who used a credit or debit card at the affected locations during the time period in which systems were infected by the POS malware will be given one year's worth of free identity theft and credit monitoring.

Government Backoff Alert

The July 31 Backoff: New Point of Sale Malware warning that spurred the UPS investigation was issued by the Department of Homeland Security, the U.S. Secret Service and the Financial Services Information Sharing and Analysis Center, or FS-ISAC. They said three different digital forensic investigations found cases where the Backoff malware was used to successfully infect POS systems, with attackers often sneaking the malware onto systems via businesses' remote-access portals.

According to the alert, attackers have been actively scanning for businesses that use remote-desktop applications such as Apple Remote Desktop, Chrome Remote Desktop, Join.me, LogMeIn, Microsoft's Remote Desktop, Pulseway, and Splashtop 2.