UPS has discovered an outbreak of debit and credit-card-reading malware in 51 of its branches in the US.
Exactly which strain of malware was involved is not known; a spokesperson told The Register today: "We're still investigating the infection." It's hoped the identity of the malware will be revealed once that probe is complete.
The shipping biz has issued a statement explaining that the software nasty was detected during an audit by an outside consultant.
That probe was in response to an American government security alert warning organizations to check for “a broad-based malware intrusion not identified by current anti-virus software”, the company says.
“UPS Store, Inc discovered malware identified in the [government] bulletin on systems at 51 locations in 24 states (about one per cent) of 4,470 franchised center locations throughout the United States,” the statement explains.
UPS says the security breach may have exposed credit and debit card data at the affected stores between January 20, 2014 and August 11, 2014. As many as 100,000 transactions may have been snooped on, we're told, out of the millions normally running through the UPS network.
Names and addresses were also accessible by the malware in the affected systems, but the company says that to date it hasn't identified any evidence of fraudulent activity as a result of the breach.
While UPS didn't identify the malware had infected the franchise outlets, US-CERT has been warning about point-of-sale vulnerabilities for some time – for example, in this advisory in January.
At the beginning of August, US-CERT also warned against a brute-force attack on sales terminals. ®