A phishing effort targeting The UPS Store which took place between September 29th, 2019 and January 13th, 2020 exposed personal and financial information for a number of their customers. Through investigation after the discovery of the attack, it appears that the exposed information was accessed through compromised employee email accounts from approximately 100 UPS Store locations. Information that the attackers were able to access varied depending on what documents were contained on the compromised accounts. In a statement, The UPS Store said, “Immediately upon discovering this incident, The UPS Store, Inc. initiated an investigation to assess the incident’s scope, including engaging a third-party cybersecurity firm, and has taken steps to further strengthen and enhance the security of systems in The UPS Store, Inc. network, including updating administrative and technical safeguards.” The company is providing affected customers with Experian’s IdentityWorks credit monitoring service for 24 months.
Although the attacker did not have access to a computer, it is estimated that they did control email accounts for approximately 100 stores. Using multi-factor authentication (MFA) to protect access to business email accounts is a strong defense because even if an attacker tricks employees into revealing passwords for email accounts, they will not be able to log in without access to the other authentication device. To protect customer information, companies may want to also establish a policy of deleting emails that contain sensitive data once there is no further use for it.
More information can be found at: bleepingcomputer.com/news/security/phishing-incident-at-ups-store-chain-exposes-customer-info/