UPS exposed data of Canadian customers through online package look-up tools

The multinational shipping company UPS is notifying Canadian customers about a data breach that occurred through its online package look-up tools, potentially exposing personal information that has been abused in phishing attacks.

Investigation revealed that threat actors used UPS' package look-up tools to access delivery details and personal contact information of recipients between February 2022 and April 2023.

The potentially exposed data inlcudes 

• recipient names,
• shipment addresses,
• phone numbers,
• order numbers

The breach notification letters, initially appearing to be warnings about phishing, disclosed that UPS has received reports of SMS phishing messages containing recipients' names and addresses.

UPS has already implemented measures to restrict access to sensitive data and is notifying affected individuals. The phishing attacks have targeted UPS customers worldwide, with threat actors impersonating companies such as LEGO and Apple in malicious text messages.