United Parcel Service Inc. has alerted Canadian customers that a data breach may have resulted in their personal information getting exposed and used in phishing attacks.

The data breach news was first shared today on Twitter by threat analyst Brett Callow, who received a physical letter from UPS advising him of the data breach. The letter bizarrely starts with paragraphs of text explaining what phishing and smishing are — smishing is a social engineering attack that uses fake mobile messages — before finally getting to the point: that UPS had suffered a data breach.

So @UPS_Canada sent me a letter about phishing and smishing. Turns out it wasn't simply intended to be educational. In the 4th paragraph, it became apparent that it was actually a data breach notification. 1/2 pic.twitter.com/lw7PI7HORI

— Brett Callow (@BrettCallow) June 21, 2023

The letter states that after conducting an internal review, UPS “discovered a method by which a person who searched for a packer or misused a package lookup tool could obtain more information about the delivery, potentially including a recipient’s phone number.” The text appears to be a complicated way of saying someone found a way to exploit its website, gain customers’ phone numbers and then use those numbers for nefarious purposes, such as the rarely used term “smishing.”

UPS then advises in the letter that it has “taken steps to limit access to that information,” or in other words, the company secured its website. The letter is arguably comical, or as Callow said in a later tweet, “This is not what a data breach notification should look like… they should immediately make clear what they are, or else people will do what I almost did and put them in the recycling unread.”

Bleeping Computer reached out to UPS for comment and the response wasn’t that much better than the letter sent to those affected. “UPS is aware of reports relating to an SMS phishing (‘Smishing’) scheme focused on certain shippers and some of their customers in Canada,” the spokesperson said. “UPS has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it.”

Zach Capers, senior analyst at Gartner Inc. marketplace vendor Capterra Inc., told SiliconANGLE that the report indicates that “UPS customers have been targeted by SMS phishing scams that leveraged the company’s package look-up tools to obtain names, phone numbers and other information. It’s time that both consumers and businesses recognize the rising SMS phishing threat.”

Photo: Jason Vogel/Wikimedia Commons