Goodwill Industries International, a network of 165 community-based agencies in North America, has been breached. This follows a previous announcement of a potential attack back in July. After an extensive forensic investigation lasting a month, Goodwill has now confirmed that "a third-party vendor’s systems" were indeed "attacked by malware, enabling criminals to access some payment card data of a number of the vendor’s customers."
According to the statement, about 10% of stores (or 20 Goodwill members if you prefer) using the same third-party vendor were involved; Goodwill insists that there is no evidence of malware on internal systems. The breach was of third-party systems containing payment card information of certain Goodwill members’ customers. Those numbers may appear quite small, but actually when delved into equate to 330 stores in 20 states and an estimated 868,000 payment cards compromised.
The attack took place between February 10, 2013, and August 14, 2014 although some stores were not exposed to such a long period of attack. Details of those store locations that were impacted, in case you are worried, can be found here.
One question that remains unanswered at this stage is who the mysterious third party vendor is, as the Goodwill statement does not name the company involved. Ken Westin, security researcher at Tripwire, says "the fact that Goodwill is not mentioning the third-party vendor by name, makes me question where the blame may lie. I believe the statement is purposely vague and raises more questions than it answers. Malware may have been installed on a third-party vendor’s systems, however where are those systems located, are these POS systems in the stores themselves connected to a network that is managed by Goodwill, or is the entire network and system managed by this mystery third-party vendor?"
Mark James who is a security expert at ESET, points the finger of blame at the franchise. "It’s the job of the franchise to protect our data. It is up to them to them ensure their POS machines are locked down and only the required is allowed to run. Operating systems and any third party software must also be up to date, and a good multi layered protection system should be in place."