United Parcel Service Inc. said a breach of computer security at some of its UPS Store retail outlets may have exposed customers' personal and payment data this year.
Malware was found at 51 locations in 24 states, or about 1 percent of the 4,470 franchise stores across the U.S., UPS said yesterday in a statement. About 105,000 transactions were affected, although the company can't yet say how many customers, said Chelsea Lee, a UPS Store spokeswoman.
The incursion adds Atlanta-based UPS to a roster of major companies facing attacks from hackers, including hospital operator Community Health Systems Inc. and supermarket chain Supervalu Inc. Thieves stole credit card numbers and other personal information from at least 70 million Target Corp. customers last year, the biggest retail hack in U.S. history.
UPS, the world's largest package-shipping company, said its breach may have been limited because each franchised retail outlet is individually owned and runs independent, private networks not connected to other locations. That arrangement "definitely helped," Lee said in an interview.
At risk are UPS Store customers who used a credit or debit card at one of the affected locations from Jan. 20 through Aug. 11, the company said. At most of the locations, exposure to the malware began after March 26, and it was eliminated from all locations by Aug. 11, UPS said.
Information that may have been revealed includes names, postal and e-mail addresses, and payment-card data, the company said. Not all information may have been exposed for each customer.
UPS Store is offering identity protection and credit monitoring programs for one year at no charge to customers who may have been affected, Lee said. The company currently has no evidence of fraud from the breach.
The incident is another setback for UPS, which missed some promised Christmas deliveries in 2013 when the company couldn't keep pace with a surge of last-minute online purchases. UPS had to hire 85,000 temporary workers, raising costs and paring quarterly profit.