Yesterday, the UPS Store fully disclosed a widespread incident of remote intrusion on its retail systems, based on a piece of malware we recently reported on. It's becoming clearer these days that even a gallon of prevention cannot fully protect companies from intelligent hackers intent on stealing consumer data. It's sad that this has become commonplace, and that we tend to just deal with it now and move on, but this is how our modern, technology-infested world works.
As consumers, it's easy to look at the UPS Store hack and become outraged that yet another incident, in a long, growing list of incidents, has taken place. But, based on even more, irresponsible events like the recent one about how Community Health Systems (CHS) was negligent in cyber intrusion, I think it's important to highlight what the UPS Store did right, not what it did wrong, and show how the UPS Store did something, while CHS did nothing.
US-CERT released a warning about potentially dangerous retail malware on July 13, 2014. We reported it the next day, on August 1, 2014. Based on the US-CERT alert, the UPS Store launched an internal review of its systems and also enlisted help from an IT security firm. The security firm then found that the reported malware was installed and active at 51 UPS Store locations in 24 states. The earliest evidence of the malware being installed was in January of this year and exposure didn't commence until March. In today's world, cybercriminals work extremely hard to produce techniques to subvert known protection solutions, so it's not uncommon and not surprising that the malware went undetected. You can't exactly blame the UPS Store for not being vigilant.
The UPS Store took responsible actions. Based on the US-CERT warning, the company took steps immediately to review its retail locations and systems to either provide assurance that it wasn't susceptible to the reported malware, or identify the potential danger and eliminate it. As of August 11, 2014, the UPS Store has been cleared and the malware completely eliminated.
In my mind, the UPS Store did the right thing. Could it have happened quicker? Sure. For those using massive management systems in the enterprise like System Center, the malware could have been detected and eradicated in an afternoon. But, without knowing what the UPS Store utilizes to protect its systems, it’s the steps that the company took that should be highlighted. And, it's important to note that the UPS Store mitigated the attack. Only 51 locations out of 4,470 were found to be infected by the malware. It could have been a lot worse had the company done nothing, or like CHS had been attacked already and simply chose to do nothing about it. CHS was attacked in April and then again in June. And, if reports are accurate, the attack was due to the OpenSSL Heartbleed issue warned about in April that the hospital organization ignored.
So, let's look back through the steps the UPS Store have taken. These could be a baseline best practice example for others.
- Received (and actually paid attention to) an industry impact warning
Took industry impact warning serious and acted on it:
- Performed internal review
- Enlisted professional, expert help
- Determined impact and scope
- Identified and eliminated danger
- Developed and infused new safeguards
- Disclosed incident publicly
- Informed and advised customers
- Provided complimentary customer service
The UPS Store is now offering complimentary identity protection for those customers impacted from the incident. You can read more about that, and determine if your location was involved, by visiting the COMPLIMENTARY IDENTITY PROTECTION page on the UPS Store web site. A FAQ is also available to provide better understanding of the type of information that was exposed, the actions the UPS Store has taken, and next steps.