Global shipping giant UPS has confirmed it has experienced a data breach that may have exposed some customer data.
According to Emsisoft threat analyst Brett Callow, who announced the discovery via Twitter, customers have been receiving a letter from UPS which says, "UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered."
Despite promises to be investigating via an internal review, and the subsequent revelation of how the scammer got hold of customer information, UPS has been scrutinized for the way it handled the event.
The letter from UPS Canada starts by generally describing phishing and smishing attacks, leaving it until halfway through before disclosing that some customers have actually been affected. It's unclear whether other regions that UPS operates in are also affected.
Callow said in the thread: "This is not what a data breach notification should look like. They should immediately make clear what they are or else people will do what I almost did and put them in the recycling unread."
UPS has confirmed that the attacker abused its package look-up tool to obtain information about the delivery, which it says "potentially [included] a recipient's phone number." The phishing scam uses victims' phone numbers to demand payment for a package ahead of delivery.
It is believed that details, including the recipient's name, shipment address, and "potentially phone number and order number" were obtained between February 1, 2022 and April 24, 2023, over a period spanning more than a year.
Bleeping Computer reports of numerous malicious messages, likely linked to this attack, that have been seen by the publication. It appears that the threat actor has posed as Apple and Lego, both of which are known for heavily using UPS's services for fast delivery.
A UPS spokesperson told TechRadar Pro:
"We are constantly vigilant when it comes to phishing and other attempts from bad actors. UPS is aware of reports relating to an SMS phishing ("Smishing") scheme focused on certain shippers and some of their customers in Canada. UPS has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it. Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries.
Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted. We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website."
For now, concerned users should consider using identity theft protection tools to keep on top of their personal data.
Via Bleeping Computer