UPS discloses data breach following exploitation of customer info in SMS phishing attacks

UPS, the multinational shipping company, has revealed that some Canadian customers may have exposed their personal information through its online package look-up tools, which has subsequently been exploited in phishing attacks.

Initially appearing as a warning about the dangers of phishing, UPS Canada’s recent communication titled "Fighting phishing and smishing - an update from UPS" has been unveiled as a data breach notification. In the notification, UPS disclosed that it has received reports of SMS phishing messages containing recipients’ names and address information.

According to UPS, fraudulent text messages demanding payment before package delivery have been sent to certain package recipients. Emsisoft threat analyst Brett Callow shared a letter from UPS, where the company acknowledged these phishing attempts.

Upon receiving the reports, UPS collaborated with partners in the delivery chain to investigate the methods used by the threat actors to obtain shipping information. Through an internal review, UPS discovered that the attackers had utilized its package look-up tools to access delivery details, including recipients’ personal contact information, between February 2022 and April 2023.

UPS has implemented measures to restrict access to sensitive data to counter these sophisticated phishing attempts. The company proactively notifies individuals whose information may have been compromised, prioritizes transparency, and raises awareness about the situation.

The information accessible through the package look-up tools included the recipient’s name, shipment address, and potentially phone number and order number. UPS could not provide an exact timeframe for the misuse of the package look-up tools, but it is believed to have impacted packages from a small group of shippers and their customers.

This data breach has affected UPS customers worldwide, as threat actors have exploited their names, phone numbers, postal codes, and information about recent orders. UPS is working diligently to address the breach and strengthen its security measures to prevent future incidents.