UPS Store headquarters issued a letter1 to possible “victims of a phishing incident” that included Rhode Island UPS Store customers. Based on the letter, which hides the particulars, it looks like a criminal convinced an employee or employees in the UPS Store system to provide store email credentials. Once these credentials were had, customers emailing the store were also (or maybe only) sending their documents to the criminal. And possibly any data that had been kept in the email accounts were accessed.
If you haven’t suffered a loss in a breach situation, it’s tempting to shrug off the risks and dangers. Would anyone email credit card information to a UPS Store? Or Social Security numbers? It’s possible. But criminals work social engineering attacks with little details about people’s lives. A small, personal detail can make a person relax and then open to being exploited. Mary Ormsby of the Toronto Star, reported on a woman who was as good as duped out of $12500 by criminals who maybe only had her family’s nickname for her and knew she had a nephew.2 This story had a happy ending; most stories like these never get told because of victims’s embarrassment.
So organizations need to be vigilant in protecting their customers’s information from being lost to criminals. Consider these measures:
• Phishing email training for your employees
• Email encryption
• A system to not keep customer data at an endpoint — like transmission by email or sitting in an email account
Is Prevention Worth It?
Try and imagine the costs to UPS for this data breach. Per their letter, to minimize the risk of financial exposure, they made available to victims a program of credit and dark web monitoring. Will people think twice about sending things to a UPS Store wondering how securely UPS will treat their information? According to IBM’s annual data breach report,3 lost business is the number one resultant cost of a cyberattack. IBM breaks the costs of an attack into four categories (also including post-breach response [insurance, fixing the problems], notification [responses to regulators and customers] and detection and escalation [finding and reporting the breach]). The average cost of a breach is getting close to $4MM. UPS can afford it. Can your business?