Hack Report (Credit Card Breach): UPS Store August 2014

by Rachael O'Halloran

Affecting about 100,000 customers of The UPS Store.

The UPS Store announced this week that it had suffered a massive data breach at 51 of its sites across the United States.

The UPS Store Notifies Customers Of Potential Data Compromise and Incident Resolution

San Diego CA – August 20, 2014 –

• [I take it that this notice IS my official notification!]

The UPS Store, Inc., among many other U.S. retailers,

• [Oh My God, what other stores have I shopped at that the government notified them of a breach. And, why the hell aren't they notifying ME?]

recently received a government bulletin regarding a broad-based malware intrusion not identified by current anti-virus software.

• ["Broad-based" means nothing to me except maybe it reaches far from home base. "Not identified by current anti virus software simply means they don't know what it was.]

Upon receiving the [government] bulletin, The UPS Store retained an IT security firm and conducted a review of its systems and the systems of its franchised center locations.

• [I'm sure they ran right out to get help and that there was a panic in the company, but hey, I matter too. What about getting a list of those customers and notifying them sooner, rather than later?]

The UPS Store discovered malware identified in the bulletin on systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States.

• ["51 locations in 24 states out of 4,470" looks impressive and when one initially reads it, it makes the numbers appear to lessen the severity of the breach, which is the intention when you see numbers that try to minimize damage, but it doesn't fool me.
• 51 is a lot, 24 locations is a lot - and that's just the one locations they know about.
• 4,470 franchises tells me some people MAY be looking to get out of the franchise business and look for something more stable. When you have to rely on computer systems of a parent company, if and when the parent company goes down, you go down. Give me a Mom and Pop organization any day.]

Based on the current assessment by The UPS Store and the IT security firm, certain customers’ information, who used a credit or debit card at the 51 impacted franchised center locations between January 20, 2014 and August 11, 2014, may have been exposed. For some center locations, the period of exposure to this malware began after January 20, 2014. The malware was eliminated as of August 11, 2014 and customers can shop securely at all The UPS Store locations.

• ["current assessment" means this is not the final assessment. "center locations" implies shopping center locations, I believe. They say "it was eliminated on August 11, 2014 and customers can shop securely now at all locations." But knowing they had a hack, would you shop there again? Maybe without a credit card, but still, name and addresses are collected for package handling. All a hacker needs is a name and address.]

Tim Davis, President The UPS Store, Inc said: “I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers. At The UPS Store the trust of our customers is of utmost importance. As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident,” Davis said.

• [They quickly addressed the issue on their end, but they waited 8 months on my end to tell me of the breach. That's 7 months and 29 days too long. He said they "addressed and fully contained the incident." Sounds like they called "Ghostbusters."]

Here's the official announcement:

"The UPS Store Notifies Customers Of Potential Data Compromise and Incident Resolution-- San Diego CA – August 20, 2014 – The UPS Store, Inc., among many other U.S. retailers, [my emphasis -I am still looking for the many other US retailers] recently received a government bulletin regarding a broad-based malware intrusion not identified by current anti-virus software.

"Upon receiving the bulletin, The UPS Store retained an IT security firm and conducted a review of its systems and the systems of its franchised center locations.

"The UPS Store discovered malware identified in the bulletin on systems at 51 locations in 24 states (about 1%) of 4,470 franchised center locations throughout the United States.

"Based on the current assessment by The UPS Store and the IT security firm, certain customers’ information, who used a credit or debit card at the 51 impacted franchised center locations between January 20, 2014 and August 11, 2014, may have been exposed.

"For some center locations, the period of exposure to this malware began after January 20, 2014. The malware was eliminated as of August 11, 2014 and customers can shop securely at all The UPS Store locations.

“I understand this type of incident can be disruptive and cause frustration. I apologize for any anxiety this may have caused our customers.

Tim Davis, President The UPS Store, Inc. said:

"At The UPS Store the trust of our customers is of utmost importance. As soon as we became aware of the potential malware intrusion, we deployed extensive resources to quickly address and eliminate this issue. Our customers can be assured that we have identified and fully contained the incident.”

"Based on the current assessment, the earliest evidence of the presence of this malware at any location is January 20, 2014. For most The UPS Store locations, based on our current assessment, the period of exposure to this malware began after March 26, 2014. This malware was eliminated as of August 11, 2014 and customers can shop securely at The UPS Store."

~~*~~*~~*~~*~~*~~*

After their apology statement, they throw in the normal spiel that they will offer an identity and credit monitoring service for 12 months that helps ONLY affected consumers to monitor their credit reports. Sometimes a company offers this for free for a set length of time; some are not free and are only discounted.

They should all be free!

It was not the consumer's fault that their company got hit with malware, but the consumer is the one who gets hurt in the end with compromised credit.

The monitoring service is available to those who used a debit or credit payment card at any of the 51 locations which were hit by malware during the stated date ranges. Your credit card statement or receipt is your proof of eligibility for the identity and credit monitoring service the company is offering.

Who keeps those receipts after checking their credit card statement, if they even bother?

Ok, I do and maybe some of you too. But I have a husband who tosses them in the trash can right outside the store (yes, he makes me crazy!!!) and I've seen other people just leave them on the counter, then leave the store.

If the store's computers didn't get hacked, the store trash receptacles can be gold mine for an opportunistic dumpster diving thief. It just takes a name, the last 4 digits of a credit card number on the receipt and if an address is also available in order to be able to track someone - either the sender or the recipient on the other end.

Although offering a credit monitoring service is all well and good, I still think the consumer is getting the short end of the stick here because these companies have insurance for this type of thing, so that they can offer that identity monitoring service for free or almost free because they are covered for it.

What would you like to see these companies offer to consumers in addition to a monitoring service? (See Poll)

It is real easy to remember a company for a breach. Don't we always remember something bad before we remember something good about a company?

I don't see anything wrong with companies giving out gift cards for free services (or a meal or two if it was a food establishment), something where they will be remembered for their benevolence.

Giving me free credit services is something I can get on my own. For Free. It really isn't costing these companies much money at all - perhaps the cost of insurance premiums.

Every time you report a breach at your favorite store where you have shopped with a credit card, debit card or by check, it is a federal law that you automatically get free monitoring services from the credit card companies and banks for minimum 6 months.

Watching your credit card and bank statements is something that you can get for free.

If you want me to think better of a company, give me something for free I can use - gift card for restaurants, merchandise discounts, etc.

"We apologize for any inconvenience and impact this incident may have had on our customers. The UPS Store is offering identity protection and credit monitoring services to impacted customers.

In order to take advantage of this service, please visit https://theupsstore.allclearid.com.

In addition, customers are encouraged to closely monitor their card account activity and take other steps to help protect themselves outlined in the customer letter. The UPS Store representatives are available at 1-855-731-6016 for additional assistance."

The impacted center locations, along with the timeframe for potential exposure to this malware at each location, follows this statement.

https://theupsstore.allclearid.com/

• Fill out the form to verify you used a payment card at the relevant time at the stated store. (see list of stores in this article)

However, my thing about that form is this:

• If the company said they didn't have enough information to locate the affected consumers, filling out this form must mean they have SOME amount of information to identify you to make sure you are an affected consumer! Right?
• I think - as with all breaches -companies wanting consumers to fill out this form is a case of bringing Mohammed to the Mountain instead of bringing the Mountain to Mohammed. Laziness.
• This form also brings out people who file claims fraudulently saying they are part of the breach and they really are not. They should lock up their butts too, in my humble but very opinionated opinion. lol

The UPS Store Home Page - News and Updates Section

US Federal law requires all three nationwide consumer credit reporting companies - Equifax, Experian and TransUnion - to give you a free credit report every 12 months if you ask for it. ASK!

Credit Karma - Free Credit Report - Great site offers free service.

Experian - Get a one time credit report for $1.00

Equifax - THIS IS A SERVICE OFFERED FOR A $19.95 PER MONTH FEE - gives credit reports for all 3 top credit reporting agencies by filing a request here. Credit card required!

Experian Identity Theft Protection - $15.95 per month monitoring service

Freecreditreport.com - FREE once a year report - if you want credit score, it carries a $1.00 fee

~~*~~*~~*~~*~~*~~*~~*~~*~~*

1. Any identity protection services offered by a breached company should be completely free - NOT discounted. If it is discounted, call the company and tell them you want it for free. Minimum ONE YEAR.
2. Whether there has been a breach or not, as a normal practice, always review your credit card statements carefully and call your bank if you see any suspicious transactions.
3. After a breach, there will always be some crook who starts up a scam by sending emails or making phone calls offering people identity theft protection. They are "phishers" of men. HANG UP.
4. If, after ANY breach, if your bank or credit card company doesn't offer ID protection, (which they should), tell them you are going to find a company who cares about their customers. Follow through and do it!
5. Anytime you hear of a breach, go to that company's website and on the security information screen, click on the links to see what areas have been breached. Then review your activity by using your calendar or credit card statements to see if you have crossed paths. Go back 6 months longer than the stated date on the breach because they always underestimate the starting date of malware breaches. (example: Target - 1 year longer, PFChang - 3 months longer)
6. If a company offers an IDPROTECT™, LIFELOCK™, ALLCLEAR ID™ or similar type coverage, go to their website and check with them for the latest news. BOOKMARK IT so you have it to come back to or to forward to friends. Usually - and I use the word loosely - usually the personal information you enter to sign up for their FREE monitoring services is safe.

NOTE:

1. Never use the same password for more than one website or company.
2. Change passwords every 3 to 6 months.
3. If you haven't visited a company's website of a card that you use often, it's time to take a look.

Data breaches are happening so often now that the US Government issued an advisory publication about POS (Point Of Sale) Malware and you can read it here:

So, get on the ball and keep track of your personal footsteps so if and when you ever get notified of a breach, it won't come as such a big shock to you.

You will, at the very least, be minimally prepared.

• I have moved a lot of articles over to my blogs and I stopped reporting on breaches on HubPages about 2 months ago due to some harassing emails telling me that I was getting people upset about them each time I reported a new breach. "Stop reporting about breaches. We don't wanna know," one email said. Another said I should "You should concentrate on one thing - COPYRIGHTS and don't write about anything else."

Since both of those people were sockpuppet names (fake accounts, since closed) for other HP names, I don't know who they were, nor do I care. I write what I wish. I took the two months time to get my blogs in order. So if my breach articles are not as frequent, it is because I am putting them on my blogs. At the moment, I do not have one single unfeatured hub, so if HubPages decides they don't like the breach reports, they can unpublish them or at the very least they can unfeature them.

Thank you for reading.

Rache

Disclaimer: This is what I, Rachael O'Halloran, do to help me keep on top of things. This list is by no means a guaranteed fix. These are suggestions.

I put a Security Freeze (credit freeze) on my credit file with each of the top three credit bureaus - Experian, Equifax and TransUnion.

• This keeps all those pesky credit card applications and other offers (insurance, timeshare, refinance mortgage, donation requests etc.) from coming in the mail.

Typically, I don't apply for new credit cards during the freeze time because they will not be able to access my credit report.

• However, I always apply for a single credit card at least ONE TIME, to make sure the freeze is working. I just make sure it is a credit card application I don't particularly have my heart set on being approved. If I get the card, I know the freeze is not on and I have to find out why. If I am denied because they can't access credit report, I know it worked.

Each company who sends a credit card offer has to have already accessed your credit report (and they do it without your consent!) in order to know if you are a good risk or not so they can make an offer to you.

The freeze is good for as long as you want it (up to 5 years) and can be removed at any time.

• If you are going to buy a house or make a large purchase (apply for a home equity loan, buy a car, any kind of loan, etc.) in the next 6 months, this is NOT a good idea because of the turn-around time involved in putting on and taking off the freeze.
• It takes 30 to 60 days to get you set up for the system stops the inquiries, and then another 30 days to forget all about you when you take it off.

If you have no big life decisions or purchases in your immediate future, go for it.

After two years, I lifted mine because we bought houses in Virginia and in Florida when moving from California. But when we were settled, I put the freeze back on again with all three credit reporting companies.

It didn't cost me a dime here on the East Coast, but when I lived in California I had to pay a $5.00 fee. I am told it varies by the state you live in.

They will require some identification before honoring the freeze request. Name, Social Security Number, Date of Birth, Proof of residence, all home Addresses for the last 10 years and a copy of a driver's license or government issue ID.

• This is peace of mind for me only to keep those hundreds of offers from being sent in the mail and to keep my credit score in the excellent range.

Freezing keeps my credit score from fluctuating because each inquiry makes your credit score drop a certain number of points.

• Don't ask me how they tabulate it. I just see mine going down when I'm not on a freeze and I keep getting all those mailings.

For example: I was at 950 credit score in California. I lifted the freeze to buy the 2 houses and make some large purchases on time payments (credit). Just for the 8 months of not having the freeze on the credit report, it went down to 825 points. Still in a good range, but a big drop in rating points. Then the offers started pouring in.

I got over 300 offers in the mail for:

• Credit cards, debit cards, pre-paid cards
• Financing a home mortgage
• Offering better mortgage rates
• Refinancing mortgage
• You won 3 days, 2 nights weekend to come to our timeshare pitch. Because of your excellent credit rating, (and they put my rating in their letter!) we are prepared to offer you special financing so you buy at our rock bottom prices. Hurry, offer expires (date). You can count on getting another offer from them within 30 days with an extended date.
• We will buy your timeshare (has my timeshare address and their ballpark money offer!)
• We will eliminate your timeshare fees for life! (I see on my credit report that they checked my credit to see if I qualified for their program).
• $100,000 life insurance GUARANTEED for your age! (it always says it is at a good rate, no matter how old I am, because I've been getting these for 20 years. The offers always include all my personal information - age, date of birth, residence, and health status)
• I can't tell you how many donation requests I get. They increase every year in June and January.

So you can see that your credit report doesn't only keep a list of your credit cards, mortgages and other loans. Each time an inquiry is made - that is anyone who ever asked about you, ran a credit check or accessed your credit file for any reason - your credit report shows you their name, address and phone number, with the date they inquired. This is whether you get the credit card or take them up on their offer or not. It is still listed.

• If you decided to put a freeze on your account for companies not to be able to make inquiries or send you their offers, write down your credit rating at start of the freeze and compare it to the rating at the end of the freeze, allowing at least one year from beginning to end.
• Then leave off the freeze, noting the credit score and allow at least 6 to 9 months to go by while receiving all those offers and compare your credit rating.

I put my freeze back on in June 2014 and I am just now in August 2014 I'm seeing a reduction in mail offers. My credit rating is back up in the healthy 900's.

~~*~~*~~*~~*~~*~~*~~*~~*~~*~~*~~*~~*

Your credit rating impacts anything you want to do -

• buy a car,
• get a credit card of your choice,
• buy a house, and
• sometimes getting a job, especially in financial services fields - where they check your credit score to make sure you are not in bankruptcy so they don't think you are a risk to their financial department. (think: embezzlement, cooking the books, etc.)

© Rachael O'Halloran, August 28, 2014