North American non-profit community organisation, Goodwill Industries International, has confirmed that a malicious attack on third-party systems impacted its retail members.
In a statement, Goodwill Industries International confirmed that a third-party vendor’s systems were attacked by malware, which enabled attackers to access some payment card data of a number of the vendor’s customers. The impacted Goodwill members used the same affected third-party vendor to process credit card payments.
Goodwill said a forensic investigation found that each of the impacted Goodwill members took immediate action to ensure that the malware found on the third-party vendor’s systems no longer presented a threat to individuals shopping at the affected Goodwill members’ stores.
The investigation found that 20 Goodwill members (representing about 10 per cent of all stores) who use the same affected third-party vendor were impacted, although there was no evidence of malware on any internal Goodwill systems. Affected were systems that contained payment card information, such as names, payment card numbers, but there is no evidence that customer personal information, such as addresses or PINs, were accessed.
Jim Gibbons, president and CEO of Goodwill Industries International, said: “We continue to take this matter very seriously. We took immediate steps to address this issue, and we are providing extensive support to the affected Goodwill members in their efforts to prevent this type of incident from occurring in the future.
“We realise a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again. Goodwill’s mission is to provide job training for people with disabilities and disadvantages. We provide this service to millions of people each year. They, our shoppers and our donors, are our first priority.”
Its investigation found that the attack affected the third-party vendor’s systems intermittently between February 10th 2013, and August 14th 2014 in total. Some stores experienced shorter periods of impact.
Ken Westin, security researcher at Tripwire, pointed to the fact that the third-party vendor was not mentioned by name, making him wonder where the blame may lie.
“A lot of, if not most retailers, rely on third-party vendors to some degree in payment systems,” he said. “I believe the statement is purposely vague and raises more questions than it answers. Malware may have been installed on a third-party vendor’s systems, however where are those systems located? Are these POS systems in the stores themselves connected to a network that is managed by Goodwill? Or is the entire network and system managed by this mystery third-party vendor?”
Richard Blech, CEO of Secure Channels, said: “Another day and another breach. Hackers have no boundaries and seek to exploit any and all possible victims whoever and wherever to get access to sensitive and private data. More than ten percent of Goodwill’s 2,900 stores were infected by a malware for more than a year before being discovered through a forensics investigation.
“It has now become abundantly clear that the current point-of-sale (PoS) systems, both on the hardware and software side, are now vulnerable and a proven target of the hackers. Simply being PCI compliant is no longer sufficient. Da
ta emanating from and transmitting through PoS systems needs to be secured with absolute certainty.”