The United Parcel Service (UPS) revealed that a phishing incident might have exposed the information of some of its customers. In its “Notice of Data Breach” letter, UPS disclosed that an unauthorised person had used a phishing attack to gain access to store email accounts at some of its store locations between September 29, 2019 and January 13, 2020.
UPS did not specify in the letter precisely how many stores were involved, only saying that a “small percentage” were hit by the criminal act, which took place between approximately Sept. 29, 2019 and Jan. 13, 2020. However, Robinson clarified that the breach affected about 100 stores, less than two percent of The UPS Store’s U.S. locations.
The company said that since discovering the breach, it hired a third-party cyber firm to conduct an investigation, and it “has taken steps to further strengthen and enhance the security of systems in The UPS Store, Inc. network, including updating administrative and technical safeguards.”
UPS Says Phishing Incident Might Have Exposed Some Customers’ Data https://t.co/TIu91YtF1n w/ @DMBisson #Cybersecurity #Phishing #UPS
— Tripwire (@TripwireInc) January 23, 2020
It\’s good to see UPS informing their customers as soon as they discovered the breach and outlining the steps they\’ve taken. The incident increasingly demonstrates the impact on companies and their customers that can arise from even the most basic of phishing attacks. There should be no reason in today\’s age that any company does not take steps to deliver security awareness and training to all their staff and contractors to ensure they are best placed to identify and report a phishing or any other form of social engineering attack.
It\’s good to see UPS informing their customers as soon as they discovered the breach and outlining the steps they\’ve taken. The incident increasingly demonstrates the impact on companies and their customers that can arise from even the most basic of phishing attacks. There should be no reason in today\’s age that any company does not take steps to deliver security awareness and training to all their staff and contractors to ensure they are best placed to identify and report a phishing or any other form of social engineering attack.
Here we have another example of the most common issue facing companies today – phishing attacks that allow bad actors to breach corporate systems. It is clear that phishing is never going to be eradicated so companies need to do all they can to protect against it. The challenge is there are many ways that bad actors breach systems using phishing. Providing protection against credential misuse by deploying MFA/Advanced authentication is one of the primary protections. In addition, companies should ensure they have full visibility of users accounts, entitlements and behaviour with the ability to spot anomalous and risk behaviour quickly and remediate.