The company said more than 100,000 transactions could have been exposed by a "limited malware intrusion," but it didn't know exactly how many or which customers were affected.
Customers at UPS Stores in Orange, Calif., and 50 other locations across the country may have had their personal information and credit or debit card details swiped by hackers from January to this month, though the shipping company has found no evidence of fraud linked to the intrusion.
"I understand this type of incident can be disruptive and cause frustration," Tim Davis, president of the UPS Store Inc., said in a statement Wednesday. " I apologize for any anxiety this may have caused our customers."
The company said more than 100,000 transactions could have been exposed by a "limited malware intrusion," but it didn't know exactly how many or which customers were affected. The company told customers to check whether they shopped at any of the affected locations, which also included three in Northern California.
"We encourage you to remain vigilant by reviewing your account statements and monitoring your free credit reports," the company said in a letter to consumers. "If you believe your credit or debit card was impacted by this incident, you should immediately contact your payment card issuer or bank."
As is now normal for the constant stream of data breaches affecting companies of all types, UPS will offer free credit monitoring to customers whose information was exposed.
UPS said it hired a cybersecurity firm to inspect its systems after the government's recent warning to retailers that hackers were scanning the Web to find entry points into companies' computer systems. The network access points typically enable workers to perform tasks from outside the office, but hackers have tapped vulnerabilities to then meander within a company and deploy malicious programs.
Analysts at ABI Research said this month that such breaches have a "measurable impact on customers’ loyalty and spending habits."
UPS said it has 4,470 franchised locations, so only about 1 percent were affected. The first California location was breached April 29, and the company said the security hole was closed Aug. 11.
©2014 the Los Angeles Times