Processor Malware The Culprit Behind Goodwill Breach

Malware at a payment-card processor was responsible for the theft of details on an estimated 868,000 credit and debit cards used at Goodwill Industries thrift stores, the organization said on Wednesday (Sept. 3).

An independent forensic investigator found no evidence of malware on any internal Goodwill systems, including point-of-sale systems in stores. But malware was found on the systems of a third-party payment-processing vendor used by 330 stores in 19 states and Washington, D.C.

Goodwill did not name the processor, but said the cyberthefts took place during the 18 months between Feb. 10, 2013, and Aug. 14, 2014. All the affected Goodwill stores — about 10 percent of the charity franchise’s 2,900 stores — used the same third-party processor.

Names, payment card numbers and expiration dates were stolen in the breach, but there is no evidence that other customer personal information such as addresses or PINs were stolen.

Goodwill was first notified of a potential breach in July by what it identified as “a payment card industry fraud investigative unit and federal authorities,” which reported that a suspicious pattern of fraudulent charges at big box retailers and grocery chains had been traced back to cards used at the charity’s stores in Alabama, California, Colorado, Florida, Georgia, Illinois, Indiana, Kansas, Louisiana, Maryland, Missouri, North Carolina, New Mexico, Ohio, Pennsylvania, South Carolina, Tennessee, Virginia, West Virginia and Washington, DC.