In a statement, the company said that customers who had used their debit or credit cards at affected locations, which are listed on the UPS website, from Jan. 20 to Aug. 11, 2014 may have been exposed to the malware, though it said exposure began after March 26 in most cases. UPS said it had eliminated the malware as of Aug. 11.
Chelsea Lee, a UPS spokeswoman, said the company began investigating its systems for indications of a security breach on July 31, the day The New York Times reported that the Department of Homeland Security and the Secret Service would be issuing a bulletin warning retailers that hackers had been scanning networks for remote access capabilities, then installing so-called malware that was undetectable by antivirus products.
UPS hired an information security firm and discovered that the malware was on its in-store cash register systems at 51 of its locations in 24 states, roughly 1 percent of UPS’s 4,470 franchises throughout the United States.
Read more: The New York Times Blog