Smishing

As reports suggest, UPS shipping and logistics recently faced a security incident after finding an unauthorized access issue on their internal audit. There was a package-lookup tool used by UPS for tracking details about any package.

This tool can be misused to obtain more information about a particular package, and the recipient details can be extracted, leading to the potential leakage of sensitive information by third parties.

Attackers use the technical called Smishing, a Phishing attack via SMS, to harvest phone numbers and other information from its online shipment tracking tool.

Breach Notification sent through Letter

One of the Twitter users (@BrettCallow) using the UPS company services received a letter that looked like a regular educational letter. But it turned out to be a data breach notification.

Image: Data Breach notification Letter from UPS

The letter stated that there had been unauthorized access to the UPS systems between February 1, 2022, and April 24, 2023, which could’ve leaked sensitive information from their systems. The data that has been breached include,

  • Recipient Names
  • Shipment address
  • Phone numbers
  • Order numbers

The letter also informed their users to be aware of Phishing and Smishing attacks. The letter stated that “UPS is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered.

UPS has been working with partners in the delivery chain to understand how that fraud was being perpetrated.

UPS also mentioned that they could not confirm the exact time and date of the package-lookup tool misuse. They also said this may have affected a small group of shippers and their customers. Investigation into this incident is ongoing, and the breach data is yet to be confirmed.

“During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient’s phone number,” the letter reads. “Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information.”

UPS (United Parcel Service) is a significant shipping, logistics, and supply chain company headquartered in Georgia, United States. The company has made a revenue of $100.3 billion in 2022, with more than 536,000 employees worldwide.

The notice to UPS Canada customers makes no indication of whether other customers in North America were affected, and it is unknown whether UPS clients outside of Canada were targeted.

Also Read:

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.