Lessons learned from UPS Store breach

The security breach discovered at a few dozen franchises of the UPS Store, a subsidiary of United Parcel Service, provides a number of lessons for other retailers.

The UPS Store reported Wednesday that malicious software was found within the in-store cash register systems of 51 franchises in 24 states, or about 1 percent of the 4,470 U.S. stores.

The compromise exposed customer names, postal and email addresses and payment card information. How many people were affected was not disclosed.

Malware infections on so-called point-of-sale systems were also discovered in a string of breaches reported by other major retailers, including Michaels, Neiman Marcus, P.F. Chang's, Sally Beauty, Target and, more recently, the Albertsons and Supervalu supermarket chains.

In all the computer break-ins, the hackers scanned the networks for tools that let employees and vendors access systems remotely. Once the tools were found, the criminals focused on finding vulnerabilities or stealing credentials to let themselves in.

Once, a system was breached, the hackers traveled through the network to the electronic cash register system, where malware was planted to capture credit-card data.

Because credit-card data often remains in plain text until it arrives at the payment processor, an obvious precaution is to encrypt the information as soon as the card is swiped and leave the decryption key with the processor, experts say.

Such a system would be expensive to install, since it would involve replacing card readers and upgrading software within the POS systems. Nevertheless, with hackers exploiting the weakness, the cost is likely less than that of a breach.

Target, which reported its security breach late last year, says costs associated with the POS system compromise has reached $148 million.

The UPS Store started searching for the malware shortly after receiving around July 31 a U.S. government warning that hackers were scanning retailers' networks for remote access tools.

Security experts praised the UPS Store for its quick response.

"This probably stopped it (the infection) from getting much worse," Chris Wysopal, chief technology officer for Veracode, said.

Because hackers are looking for network credentials, retailers need to make a list of the employees and vendors with remote access and restrict their privileges to those resources that are absolutely necessary.

Also, passwords should be changed at least every six months and when vendors are dropped or employees leave, their credentials should be revoked immediately.

After the malware was found, the UPS Store hired an IT security firm and found the malware, which was removed from systems Aug. 11.

The malicious code had been in the store systems for as long as seven months before it was removed.

Technology called endpoint anomaly detection might have found the malware sooner. Such technology establishes a baseline of normal activity and then alerts if there is a deviation.

A protective technology recommended for POS systems is white-listing software that blocks any unknown code from executing.

"Whitelisting works really well in environments where the software that should be running is very restrictive, such as a point-of-sale terminals," Wysopal said.

Businesses like the UPS Store should enforce a standard security policy across franchises, Ehsan Foroughi, director of research for Security Compass, said.

Requirements could include an approved POS system, regular installation of updates and patches, regular password changes, controls for limiting employee and vendor access and regular security training for franchise owners, managers and POS workers.

"A lot of these breaches are because of people who just don't know the risks," Foroughi said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsSally BeautysoftwareNeiman MarcusupsSupervaludata protectionUnited Parcel ServiceMichaelsTargetretail securitysecuritydata breach

More about SupervaluTechnologyUnited Parcel Service

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place