[German]U.S. company United Parcel Service, better known under the abbreviation UPS, has experienced a data protection incident in which customer information was leaked. During package tracking, third parties were able to view more data about a package recipient than desired. As a result, customers are now falling victim to phishing text messages. UPS Canada is affected. The parcel service, which is also active in Germany, has probably communicated the whole thing to those affected in a rather idiosyncratic manner.
United Parcel Service (UPS) of America, Inc. is a globally active US courier express parcel service company. UPS makes $74 billion in revenue (2019) and employs 496,000 people worldwide (2019). And UPS seems to have suffered a data privacy incident. A few hours ago, a tweet from security analyst Brett Callow already came to my attention.
Brett Callow has received a postal letter from UPS-Canada, which at first glance looks like an education about phishing and smishing. The fourth paragraph states that UPS has noticed that customers are receiving fraudulent text messages. They would be asked to make payments so that the package could be delivered. This is a scam that is commonplace in Germany.
The question is how the senders of the phishing messages get the recipients of the addresses. But during an internal investigation, UPS has come to the conclusion, the letter says, that a weakness exists in the package tracking system. A person searching for a specific package can retrieve more information than intended from UPS. Among the data is the recipient's phone number, which can then be misused.
The colleagues at Bleeping Computer have since also picked it up in this article. The data leak probably only affects UPS Canada, but customers should be on their guard. If data such as phone numbers have been captured from third parties, they can also be misused. What is very special, however, is the way UPS packaged this data privacy incident to communicate the problem to its customers.
