Another day, another data breach: This time the victim is Goodwill Industries’ resale shops, which banks say may have been hit nationwide.
Financial institutions have told independent security researcher Brian Krebs that they are investigating a series of credit card breaches involving Goodwill locations that could go back as far as the middle of 2013. So far it’s unclear how many of the company’s 165 agencies have been impacted.
Goodwill said that it’s working with the US Secret Service to investigate further.
“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email to Krebs. “Investigators are currently reviewing available information. At this point, no breach has been confirmed but an investigation is underway.”
The point of compromise appears to the point-of sale systems in the thrift shops, highlighting yet once again the need to overhaul retail compliance efforts and security policies.
“Almost all major retail and credit card breaches occurred where that particular vendors/merchant was actually in PCI-DSS compliance,” said Vijay Basani, co-founder and CEO of EiQ Networks, in an email. “This goes to show regulations in general incentivize merchants to do just enough to pass QSA audit, and the fact these audit are not conducted accordingly to a standardized methodology (they are subject to a QSA's individual interpretation) coupled with the fact that a PCI-DSS audit is just a point-in-time audit and not continuous audit resulting in check box mentality and not true security.”
Mike Lloyd, CTO at RedSeal Networks, noted to Infosecurity that the campaigns go to show that any industry can be a target.
“Many organizations have been in denial for too long – executives are tempted to think ‘why would anyone come after us?’, when we're a charity, or a medical institution, or a sports team,” he said. “Many industries are loved by the public, and can lapse into thinking they don't have enemies, and so don't really need to worry about security. But the fact is that attackers use automation, and search for any door you leave open in your infrastructure – they can twist doorknobs on a global scale, and they don't much care which doors they open. If they find things worth taking behind the door (often credit cards), they can walk out with them. As attackers automate their search for weaknesses, defenders need to do the same.”