UPS Faces Data Breach, Backoff Malware Evolves

Last week, UPS confirmed that it is the most recent victim of "Backoff" malware attack. UPS is now warning its subsidiary UPS Stores that it has suffered a POS malware attack compromising numerous card transactions over the past seven months. So far, 51 of its U.S. franchised center locations across 24 states have been infected. All-in-all, about 105,000 credit and debit card transactions were compromised in the data breach, however the specific number of customers affected has not been revealed.
 
"Customer information that may have been exposed includes customers' names, postal addresses, e-mail addresses and payment card information," says a breach FAQ published by UPS. "At this time, we are not aware of any reports of fraud associated with the potential data compromise." In a letter sent to some affected consumers, however, UPS also warns that anyone who signed up for one of its Mail Manager accounts may have also had their Social Security number and driver's license numbers compromised.
 
The company says it began auditing POS systems for malware infections after receiving a government alert about a rise in POS malware attacks, including a number of Backoff variants designed to infect POS systems and steal credit and debit card data when cards are swiped on July 31.
 
"As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident," said Tim Davis, president, UPS Store in a statement. "I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers."
 
On August 22 the United States Secret Service and Department of Homeland Security, issued a warning that a POS malware labelled "Backoff" may have infected the systems of more than 1,000 organizations and is a significant threat to the security of cardholder data in all organizations. The malware was released in 2013, infecting electronic cash registers (ECRs) and similar POS systems. It was not recognized by anti-virus software until August.
 
The United States Computer Emergency Readiness Team (US-CERT) has now found five variants of the 'Backoff' malware, each with notable modifications – the malware has also been found in at least three separate forensic investigations. The variants are largely undetected by AV vendors, and it is recommended that due to the lack of protection, retailers should monitor for indicators of compromise (IOCs) to determine if they have been infected.
 
POS systems continue to be an attractive target to highly sophisticated criminal gangs, because they are the access point to a treasure of customer data, including full credit card information. They are also usually under-protected, when compared to typical enterprise systems that reside in a data center or corporate network.
 
For additional information and recommendations from the PCI Council, click here. For additional warnings and information from the US-CERT (United States Computer Emergency Readiness Team), click here.