After a month and a half of investigation, Goodwill announced that 330 of its stores in 20 states were impacted by a credit card breach, in which an estimated 868,000 cards were compromised.
Goodwill’s investigation revealed that malware had been installed on a third-party vendor system used by 10% of its franchised stores to process credit cards. Twenty of Goodwill’s 158 regional headquarters in the United States were impacted by the breach, because of the shared third-party system. When the investigation first started in July, Goodwill stressed the fact that the company does not have a centralized payment system because it is a franchise.
The malware attack on the vendor’s systems occurred sporadically from Feb. 10, 2013, to Aug. 14, 2014, Gibbons , President and CEO of Goodwill Industries International (GII) wrote, adding that the card data includes names, payment card numbers and expiration dates. He said that there is no evidence of other information, including addresses and PINs, being compromised.
Goodwill says it has it has received “a very limited number of reports” of fraudulent activity from credit cards connected to Goodwill stores. Goodwill spokesperson Lauren Lawson said the investigation did not reveal specifics about the number of compromised cards, but Goodwill is estimating that 868,000 cards were compromised.
“Our outside forensic expert has confirmed that the malware is known as rawpos, according to the Symantec reference,” Lawson said. “This data compromise incident is not related to the [‘Backoff’] malware.”
Lawson confirmed that she was referring to the malware in this Symantec post, which states that ‘Infostealer.Rawpos,’ a trojan discovered in February of this year, is designed to steal confidential information from compromised computers.
Goodwill has stopped using the affected third-party vendor for payment card processing and has found no evidence of infections on any of its internal systems.
“Because this incident did not affect social security numbers, Goodwill is not offering credit monitoring services at this time,” Lawson said.
Actions are being taken to ensure a similar incident does not occur again, which include launching an enterprise wide Member Security Taskforce and establishing working agreements with security organizations to ensure best security practices are used, Lawson said.
“[GII] is working with the 158 independent, community-based Goodwill members across the country to launch an effort to harden their infrastructure,” Lawson said. “GII has intensified its educational efforts to include seminars and peer to peer learning opportunities about data security/PCI.”
A full list of impacted stores can be found on Goodwill’s website.