3

Goodwill Industries International, a network of 165 community-based agencies in North America, has been breached. This follows a previous announcement of a potential attack back in July. After an extensive forensic investigation lasting a month, Goodwill has now confirmed that "a third-party vendor’s systems" were indeed "attacked by malware, enabling criminals to access some payment card data of a number of the vendor’s customers."

According to the statement, about 10% of stores (or 20 Goodwill members if you prefer) using the same third-party vendor were involved; Goodwill insists that there is no evidence of malware on internal systems. The breach was of third-party systems containing payment card information of certain Goodwill members’ customers. Those numbers may appear quite small, but actually when delved into equate to 330 stores in 20 states and an estimated 868,000 payment cards compromised.

The attack took place between February 10, 2013, and August 14, 2014 although some stores were not exposed to such a long period of attack. Details of those store locations that were impacted, in case you are worried, can be found here.

One question that remains unanswered at this stage is who the mysterious third party vendor is, as the Goodwill statement does not name the company involved. Ken Westin, security researcher at Tripwire, says "the fact that Goodwill is not mentioning the third-party vendor by name, makes me question where the blame may lie. I believe the statement is purposely vague and raises more questions than it answers. Malware may have been installed on a third-party vendor’s systems, however where are those systems located, are these POS systems in the stores themselves connected to a network that is managed by Goodwill, or is the entire network and system managed by this mystery third-party vendor?"

Mark James who is a security expert at ESET, points the finger of blame at the franchise. "It’s the job of the franchise to protect our data. It is up to them to them ensure their POS machines are locked down and only the required is allowed to run. Operating systems and any third party software must also be up to date, and a good multi layered protection system should be in place."

As Editorial Director and Managing Analyst with IT Security Thing I am putting more than two decades of consulting experience into providing opinionated insight regarding the security threat landscape for IT security professionals. As an Editorial Fellow with Dennis Publishing, I bring more than two decades of writing experience across the technology industry into publications such as Alphr, IT Pro and (in good old fashioned print) PC Pro. I also write for SC Magazine UK and Infosecurity, as well as The Times and Sunday Times newspapers. Along the way I have been honoured with a Technology Journalist of the Year award, and three Information Security Journalist of the Year awards. Most humbling, though, was the Enigma Award for 'lifetime contribution to IT security journalism' bestowed on me in 2011.

3
Contributors
5
Replies
22
Views
3 Years
Discussion Span
Last Post by happygeek
0

A great man once said; if it can be built....it can also be taken apart.

I think between iCloud being breached, this happening, the target attacks, etc. This is all just about par for the course. I think it'll be a long time before we see the end of breaches like this.

0

Well @PixelatedKarma I would agree with the word you have used i.e. if it can be built then it can also be taken apart, but tell me where does the iCloud came from ? I would say the breach in security isn't because of the fault from Apple its because of the fault of the user like consider I am a very great personality say Kelly and I am dumb and set my iCloud password my name and I guess there are number of attackers over the web who keep looking for such dumb users. So, I guess better would be to blame the users not iCloud ! :P

1

The iCloud fiasco was a combination of the usual user dumbass stuff and some Apple dumbass stuff (in not locking down password retries using the find my phone route in).

1

It's one of those things.....unfortunately even following security best practices for developers with the way technology changes at such a fast pace something will almost always get missed at initial launch and even as time goes on. To use iCloud as an example, apple has some of the brightest, smartest developers in their work force. They utilize multi- layered security....yet they missed preventing brute force attacks something that is one of the oldest types of hacking in the history of the internet. It happens and as long as everyone and their dog considers themselves a developer and as long as we as internet users keep trusting more and more information online, these breaches will continue.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.