Global shipping giant UPS has confirmed it has experienced a data breach that may have exposed some customer data.
According to Emsisoft threat analyst Brett Callow, who announced the discovery via Twitter, customers have been receiving a letter from UPS which says, “UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered.”
Despite promises to be investigating via an internal review, and the subsequent revelation of how the scammer got hold of customer information, UPS has been scrutinized for the way it handled the event.
UPS phishing scam results in data breach
The letter from UPS Canada starts by generally describing phishing and smishing attacks, leaving it until halfway through before disclosing that some customers have actually been affected. It’s unclear whether other regions that UPS operates in are also affected.
Callow said in the thread: “This is not what a data breach notification should look like. They should immediately make clear what they are or else people will do what I almost did and put them in the recycling unread.”
UPS has confirmed that the attacker abused its package look-up tool to obtain information about the delivery, which it says “potentially [included] a recipient’s phone number.” The phishing scam uses victims’ phone numbers to demand payment for a package ahead of delivery.
It is believed that details, including the recipient’s name, shipment address, and “potentially phone number and order number” were obtained between February 1, 2022 and April 24, 2023, over a period spanning more than a year.
Bleeping Computer reports of numerous malicious messages, likely linked to this attack, that have been seen by the publication. It appears that the threat actor has posed as Apple and Lego, both of which are known for heavily using UPS’s services for fast delivery.
TechRadar Pro has asked UPS what it is doing to protect users and prevent future attacks, but the company did not immediately respond. For now, concerned users should consider using identity theft protection tools to keep on top of their personal data.