CEO Sharon Price John says Build-A-Bear’s old e-commerce system is a big reason for disappointing online sales in December.
Malicious software has been discovered at 51 UPS Store locations in 51 states, and 105,000 transactions may have been compromised, UPS says.
Aug. 21 (Bloomberg) -- United Parcel Service Inc. said a breach of computer security at some of its UPS Store retail outlets may have exposed customers’ personal and payment data this year.
Malware was found at 51 locations in 24 states, or about 1% of the 4,470 franchise stores across the U.S., UPS said yesterday in a statement. About 105,000 transactions were affected, although the company can’t yet say how many customers, said Chelsea Lee, a UPS Store spokeswoman.
The incursion adds Atlanta-based UPS to a roster of major companies facing attacks from hackers, including hospital operator Community Health Systems Inc. and supermarket chain Supervalu Inc. Thieves stole credit card numbers and other personal information from at least 70 million Target Corp. customers last year, the biggest retail hack in U.S. history. Target is No. 18 in the Internet Retailer Top 500 Guide.
UPS, the world’s largest package-shipping company, said its breach may have been limited because each franchised retail outlet is individually owned and runs independent, private networks not connected to other locations. That arrangement “definitely helped,” Lee said in an interview.
At risk are UPS Store customers who used a credit or debit card at one of the affected locations from Jan. 20 through Aug. 11, the company said. At most of the locations, exposure to the malware began after March 26, and it was eliminated from all locations by Aug. 11, UPS said.
UPS is cited as the delivery service by 176 of the retailers in the Top 500, making it the No. 1 provider in that category, followed by FedEx at 144 and the U.S. Postal Service at 105. Amazon is the No. 1 online retailer by web sales in the 2014 Top 500 and Walmart.com No. 4.
Information that may have been revealed includes names, postal and e-mail addresses, and payment-card data, the company said. Not all information may have been exposed for each customer.
UPS Store is offering identity protection and credit monitoring programs for one year at no charge to customers who may have been affected, Lee said. The company currently has no evidence of fraud from the breach.
The incident is another setback for UPS, which missed some promised Christmas deliveries in 2013 when the company couldn’t keep pace with a surge of last-minute online purchases. UPS had to hire 85,000 temporary workers, raising costs and paring quarterly profit.