Credit and debit card information belonging to customers who did business at 51 UPS Store Inc. locations in 24 states this year may have been compromised as the result of an intrusion into the company's networks.
In a statement Wednesday, UPS said it was recently notified by law enforcement officials about a "broad-based malware intrusion" of its systems.
A subsequent investigation by an IT security firm showed that attackers had installed previously unknown malware on systems in more than four-dozen stores to gain access to cardholder data. The affected stores represent about 1% of the 4,470 UPS Store locations around the country.
The intrusion may have exposed data on transactions conducted at the stores between Jan. 20 and Aug. 11, 2014. "For most locations, the period of exposure to this malware began after March 26, 2014," UPS said in a statement.
In addition to payment card information, the hackers also appear to have gained access to customer names, as well as postal and email addresses.
Each of the affected locations is individually owned and runs private networks that are not connected to other stores, UPS added. The company provided a list of affected locations.
The breach is the third significant one to be disclosed in the past week. Last Thursday, grocery store chain Supervalu announced it had suffered a malicious intrusion that exposed account data belonging to customers who had shopped at about 180 of the company's stores in about a dozen states. The breach also affected customers from several other major grocery store chains for which Supervalu provides IT services.
On Monday, Community Health Systems, one of the largest hospital networks in the country, announced that intruders had accessed and copied personal data belonging to about 4.5 million people who were treated by or referred to the hospital's physicians. Data compromised in the breach included Social Security numbers, birth dates and phone numbers, CHS noted.
The breaches highlight just how vulnerable U.S. private networks continue to be to hacker threats. Despite all the attention and concern generated by the massive data breach at Target last fall, many companies appear as unprepared as ever to detect and mitigate network intrusions.