UPS Reveals Data Breach Following Exploitation of Customer Information in SMS Phishing Attack

UPS has issued a warning to its customers regarding a potential data breach and the misuse of personal information in phishing attacks. While the initial communication from UPS, titled “Fighting phishing and smishing – an update from UPS,” may appear to be a general warning about phishing, it actually serves as a data breach notification. The company has acknowledged receiving reports of SMS phishing messages that contain recipients’ names and address information.

UPS clarified that fraudulent text messages demanding payment before package delivery have been received by some package recipients. The company worked with its delivery partners to investigate the methods employed by the threat actors behind this SMS phishing campaign. Through an internal review, UPS determined that the attackers accessed recipients’ shipping details, including personal contact information, by utilizing its package look-up tools.

To counter these convincing phishing attempts, UPS has implemented measures to limit access to sensitive data. The company is in the process of notifying individuals whose information may have been affected to ensure transparency and awareness.

The compromised package look-up tools provided access to recipients’ names, shipment addresses, and potentially phone numbers and order numbers. UPS cannot specify the exact timeframe during which the misuse of the package look-up tools occurred, but it is estimated to have affected a small group of shippers and their customers.

Reports indicate that UPS customers worldwide have been targeted in these phishing attacks, with threat actors using their names, phone numbers, postal codes, and information on recent orders. The attackers have impersonated companies such as LEGO and Apple in the malicious text messages, and it is likely that other shippers were also affected.

Further details regarding the number of affected customers and the specific companies impersonated in the attacks were not immediately available from UPS. However, the Internal Revenue Service (IRS) and the Federal Communications Commission (FCC) had previously warned the public about the increasing prevalence of SMS phishing attacks, urging individuals to remain cautious and avoid clicking on links or providing sensitive information in response to suspicious messages.