Multinational shipping company UPS is issuing data breach notifications to Canadian customers, warning them about potential exposure of personal information through its online package look-up tools, which has been exploited in phishing attacks. Initially appearing as a warning about phishing dangers, the notification discloses that UPS has received reports of SMS phishing messages containing recipients’ names and addresses. The attackers behind an ongoing SMS phishing campaign accessed delivery details, including personal contact information, using UPS package look-up tools between February 2022 and April 2023. UPS is implementing measures to restrict access to sensitive data and notifying affected individuals to ensure transparency.
UPS acknowledges that the breached information available through the package look-up tools included recipients’ names, shipment addresses, and potentially phone numbers and order numbers. While unable to specify the exact timeframe of the misuse, UPS indicates it may have affected packages for a small group of shippers and customers from February 1, 2022, to April 24, 2023. UPS customers globally have reported phishing attacks impersonating companies like LEGO and Apple, with threat actors using names, phone numbers, postal codes, and information on recent orders. The phishing attacks align with a broader trend of SMS phishing schemes, prompting federal agencies like the IRS and FCC to warn against such attacks and advise caution when encountering suspicious messages.
UPS is actively working with partners, law enforcement, and third-party experts to understand the fraud methods and put a stop to the scheme. In response to the phishing incidents, UPS is sending privacy incident notification letters to affected individuals in Canada and encourages customers and consumers to stay informed about protecting themselves against such attempts. The company emphasizes vigilance and offers resources on fighting fraud to enhance awareness and security.
