Security News > 2023 > June > UPS discloses data breach after exposed customer info used in SMS phishing

Multinational shipping company UPS is alerting Canadian customers that some of their personal information might have been exposed via its online package look-up tools and abused in phishing attacks.

At first glance, the letters sent by UPS Canada, titled "Fighting phishing and smishing - an update from UPS," seem to be a warning to customers about the dangers of phishing.

It turns out that this is actually a data breach notification, with the company sneaking in a disclosure stating that it has been receiving reports of SMS phishing messages containing the recipients' names and address info.

After receiving the phishing reports, UPS worked with partners within the delivery chain to understand the method used by the threat actors to harvest their targets' shipping information.

Following an internal review, UPS found that the attackers behind this ongoing SMS phishing campaign were using its package look-up tools to access delivery details, including the recipients' personal contact information, between February 2022 and April 2023.

UPS customers worldwide have been affected by these phishing attacks, as shown by online reports showing the threat actors using their names, phone numbers, and postal codes, as well as info on recent orders.

News URL

https://www.bleepingcomputer.com/news/security/ups-discloses-data-breach-after-exposed-customer-info-used-in-sms-phishing/