Goodwill Admits Card Breach at 330 US Stores

An investigation lasting over a month has finally concluded that customers of over 300 Goodwill thrift stores in 20 US States may have had their card details compromised after malware was installed on third party payment processing systems.

Goodwill Industries International (GII), to give it its full name, is a social enterprise which operates a network of 165 community-based agencies in the US and Canada, selling donated clothing and household items and providing various services to businesses and government agencies.

It emerged in mid-July that financial institutions were investigating card breaches dating back a year and on Wednesday GII finally confirmed that around 10% of its stores (330) had been affected.

There’s no official news on how many cards have been affected, although several sources have put the figure at around 868,000.

The firm was quick to point out that no malware was found on any of its kit, but instead resided on a third party vendor’s systems, allowing cyber-criminals to access names, payment card numbers, and expiration dates between February 10 last year and August 14 this year.

“There is no evidence that other customer personal information, such as addresses or PINs, were affected by this issue,” Goodwill added.

“We took immediate steps to address this issue, and we are providing extensive support to the affected Goodwill members in their efforts to prevent this type of incident from occurring in the future,” said president and CEO Jim Gibbons in a prepared statement. “We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again.”

Goodwill added that its customers have received a “very limited number of reports” from their card providers of fraudulent activity.

The incident is just one of a series of high profile breaches of retailers in the US this year, which began with Target in December 2013.

Since then, Sally Beauty, UPS and Home Depot have all contacted customers after major attacks on their systems.

Ken Westin, security researcher at Tripwire, argued that such attacks can have a direct impact on consumer confidence – the last thing businesses need as the busy holiday season approaches.

“As we have seen retailers will increasingly become targets, as attackers have identified key weaknesses and vulnerabilities in payment systems, they will continue to exploit them knowing that it will take retailers time and resources to identify these vulnerabilities and fix them,” he added.

Richard Blech, CEO of Secure Channels, claimed that strong data encryption at the hardware and software level may mitigate the risk of exposure.

“It has now become abundantly clear that the current point-of-sale (PoS) systems, both on the hardware and software side, are now vulnerable and a proven target of the hackers,” he argued.

“Simply being PCI compliant is no longer sufficient. Data emanating from and transmitting through PoS systems needs to be secured with absolute certainty.”

What’s Hot on Infosecurity Magazine?