Data Breach at the United Parcel Service - Case Study Example

Data Breach at the United Parcel Service Name Institution Introduction Most businesses are embracing modern technology as a mean of easing organizational activities. However, with the advancement in technology, several cases associated with hacking activities have been on the rise reflecting increment in the number of organization liabilities. Both the government corporations and private entities are at the risk of facing these unprecedented cyber-attacks and threats especially if the outlined security measures are weak. The cost of data breaches is on the rise around the globe as sophisticated thieves target valuable financial records. Direct costs associated with data breach include loss of customer loyalty, cost of hiring experts to help fix the breach, investigation of the cause, setting up hotlines for the customers, and offering monitoring plans for the credit and debit cards of the loyal clients (Wang, 2007). Nevertheless, most business entities often enforce poor communication methods among different departments and the clients. With poor communication, controlling data breaches might be a greater challenge and could lead to losses of greater magnitude. Background of the United Parcel Service (UPS) Considered as the world’s largest package delivery organization and a major provider of supply chain management, UPS has its headquarter in Sandy Springs, Georgia. The company delivers more than 15 million packages to about 6.1 million customers in a day within the 220 countries that it operates. In addition, most clients identify the company as “Brown” due to its brown delivery trucks. Besides the delivery roles, the company also operates its own airline and cargo delivery service based in Louisville, Kentucky. Considering its scope of operation, the company deals with numerous information of which some of them are very confidential. As a result, there is need to ensure adequate security measures on the database to prevent infringement into confidential information about the customers. Data breach in the company United Parcel Service Inc. data breach in its 51 stores, which might have affected more than 105,000 transactions of the customers between January and August. The breach mainly occurred in the computer systems found in the retail store outlets. In addition, the incident exposed personal information about the customers and payment data. With the rising technology, there is need to put in place security measures that monitors the malware activities. The company found the malware programme in all the 51 stores found the 24 states where it operates. Although the company had the number of affected transactions, it was not able to account for the number of customers affected by the incident (Kendrick, 2010). Furthermore, the management cited that the breach was limited considering the fact that the company does not manage all the networks of franchised business. The major activities that increased the level of susceptibility of the people are using credit and debit cards in the affected retail centers from January 20 through August 11. In most outlets, exposure to the malware began after March 26 and it took the company almost six months to eliminate the malicious programme. The information about the customers that were revealed includes the email addresses, payment card information, and their names. More importantly to note is that the malware found itself in the electronic cash registers of the company. In most security breaches, the criminals often scan the network of the retailers for software tools, which let the employees, and other vendors access the system remotely. Upon finding the tool within the system, the hackers search for the vulnerabilities or the credentials of the users to log into the system as the administrators. While in the system, reports indicate that the criminals were able to find their way into the point-of-sale (POS) system and implanted the malicious programme that they designed to capture the data when the customers were swiping their cards. Additionally, reports from the analysis of the KrebsOnSecurity indicate the hackers chose the company due to its retail nature. It is easier to target the retails due to the distributed nature of the remote stores and franchises, and the accessibility requirement across the globe to the backed up systems. In relation to the attack, the company received bulletins on July 31 from the United States Department of Homeland Security (Griffin, Ji, & Martin, 2003). Reports from the management indicate that it took longer periods for the company to note the malware since the current anti-virus used had no ability to identify the malicious programme. Since the data associated with credit and debit cards often remain in the plain text until its arrival at the payment processor, the most obvious precaution that companies accepting these cards should focus on is to encrypt the information immediate the card is swiped. Experts also indicate that it is important to leave the decryption key with the processors upon effecting the payment. According to the spokesperson of the company, Chelsea Lee, the company began the investigation of its systems for any indication of security breach on July 31. On the same day, New York Times reported that both the United States department of homeland security and the secret service issued warning to different retailers including UPS that the hackers had been scanning their networks for remote accessibility and installing the undetectable malware (Sampson, 2002). Considering the company knows the number of the affected transactions but no information on the affected clients, the initial decision it took was not to issue individual breach information. Analysis of how the company managed the incident According to the President of the company, Tim Davis, the incident caused anxiety among the clients and the management considering the amount of losses that the incident triggered. In addition, the company deployed extensive resources to assist in addressing and eliminating the incidence quickly. Upon conducting the investigations and establishing the occurrence of the incident, the company retained the Information Technology (IT) security firm and conducted a review of its security system. In addition, the company also reviewed all the systems used its franchised center locations. Since only a fraction of the total clients experienced the incident, the company decided not to send the notification mails to all the clients instead published the names of the affected customers on its website. Investigations from the company do not indicate any sign of fraud that arose from the incident. However, it invested many resources identifying protection and credit monitoring services to the customers whose information might have been compromised to prevent further infringement into their privacy. The investigation also established that the hackers implanted Backoff into the system. Backoff is a type of malware that mostly affect the POS systems and has made management difficult for most retailers since it is not easy to identify it within the system. Several studies indicate that most retailers are not fully prepared to handle problems associated with the malware activity. From the analysis reports, the company lack technology and tools of detecting the attacks on its database quickly. To prevent such incidences from occurring again, the company is collaborating with the banks issuing the credit and debit cards used by the customers to improve security measures. Additionally, the intensifying pressures on the banks and the retailers including UPS are currently introducing the new generation credit cards embedded with microchips (Gomzin, 2014). After receiving the confirmation from the government concerning the hacking activity, the company decided to hire an independent security to assist in reviewing its system and prompting the discovery. While replacing the cards might prevent unauthorized accessibility to the account, it does not offer protection for the customers from identity theft especially with modern software programmes coming into the market. Furthermore, the company put in place adequate measures to monitor the activities of the account holders. Besides, the measures also confidentially stored the credit history to prevent identity theft. The company also invested in the investigation of its internal processes and systems required to reduce the likelihood if such incident taking place again. Moreover, the company collaborated with a third party security firm to establish the fact about the hacking activities. Upon receiving the result, it decided to hide the truth from the customers, which made the criminals found another way of updating their malware. The company assumed that by removal of the malware virtually on its system across the United States would remedy the situation (Choate, 2008). However, the KrebsOnSecurity published its blog on the incident and reported the matter to the Secret Service to investigate the issue further. These activities compelled the corporation to announce publicly that its security had been breached, and criminals were able to access the credit and debit card numbers of the customers. If the corporation came out upon realizing the malicious activities, then it would have reduced the number of clients affected by the incident. The company took much duration responding to the incident making it difficult to estimate even the number of customers affected by the incidence. Customers are integral to any company; therefore, the communication criteria used by the company to inform them about the issue might help restore their loyalty and drive them away from associating with the company (Alexander, 2004). The company also had in place criteria for changing the passwords at least after every six months and when the vendors are dropped or the employees leave the company. In addition, the company ensured that log in information of the former employees were revoked to prevent the unauthorized access to the database. More importantly, the company collaborated with the government and security agencies to establish whether there were employees who collaborated with the criminals to give them access to the database. Conclusion Cases associated with hacking activities are on the rise with more companies investing many resources protecting accessibility to the database. In addition, globally, cybercrime is considered a criminal activity that is not only affecting the private business but also several state departments. The hacking of the UPS system affected several other financial institutions. For instance, Citibank announced the replacement of all debit cards to limit chances of financial harm to their clients. However, some thought that changing their PIN numbers would work, but in the end they were not effective posting other better measures. The company increased the susceptibility of more customers by failing to take an immediate action after realizing the hacking activity. Currently, the decisions made almost two years ago are greatly affecting organizational performance with more customers failing to trust organizational management. It is important to note that it requires experts to help enhance the security system of any organization. Such costs might be more, so most businesses often considered solving them internally without involving external security experts. With increasing technological use and advancement, business entities need to be prepared for any incident especially the rising number of cybercrimes. Collaborating with the Secret Service and the United States Department Justice made it easier for the company to reduce the effect on more customers. References Alexander, D. C. (2004). Business confronts terrorism: Risks and responses. Madison: University of Wisconsin Press/Terrace Books. Calder, A. (2005). A business guide to information security: How to protect your company's IT assets, reduce risks and understand the law. London: Kogan Page. Choate, P. (2008). Dangerous business: The risks of globalization for America. New York: Alfred A. Knopf. Gomzin, S. (2014). Hacking Point of Sale: Payment Application Secrets, Threats, and Solutions. Indianapolis, IA: Wiley. Griffin, J. M., Ji, X., & Martin, J. S. (2003). Momentum Investing and Business Cycle Risk: Evidence from Pole to Pole. Journal of Finance, 12(3), 101-114. Kendrick, R. (2010). Cyber Risks for Business Professionals: A Management Guide. Ely: IT Governance Pub. Sampson, K. L. (2002). Value-added records management: Protecting corporate assets, reducing business risks. Westport, CT: Quorum Books. Wang, A. (2007). Priming, Framing, and Position on Corporate Social Responsibility. Journal of Public Relations Research, 7(3), 88-112. Read More