UPS

• Breach date: Between January 20 and August 11, 2014. UPS learned of the threat on July 31, 2014.
• Notification date: August 21, 2014.
• Type: Malware attack using “memory scraping” software.
• Targeted data: Names, addresses, e-mails, phone numbers, and card information.
• Motive for the breach: Theft.
• Damages and data subjects affected: The hackers affected over 100,000 transactions over the period of breach and attacked 51 stores in 24 states.
• Preventive measures: The store’s systems were not linked to one another electronically, so the damage was contained to only 1% of the company’s systems. UPS investigated the breach after reading a government notification on malware attacks.
• Curative measures and liability: UPS said that it is providing identity protection and credit monitoring help to affected customers. The company additionally increased its protection on other stores. UPS also published a list of affected stores, including the breach inception date and duration. The company was lauded by some for its “well-written data breach notification.”
• GDPR compliance: While it is unclear whether UPS had “privacy-by-design” implemented or whether they maintained security in their processing, at the time they were ...