Goodwill Names Vendor in Breach

C&K Systems Identified as Third Party Hit by Malware
Goodwill Names Vendor in Breach

Goodwill Industries International has confirmed that C&K Systems was the third-party vendor compromised in a data breach that impacted about 330 of its stores, resulting in the exposure of details on 868,000 U.S. debit and credit cards (see: Goodwill: 868,000 Cards Compromised).

See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016

The vendor, based in Murrells Inlet, S.C., manages and deploys cloud-based retail point-of-sale environments for small- and medium-sized specialty retailers. Some 20 of Goodwill's 165 independent headquarters, known as "members," used the vendor at their 330 stores, says Lauren Lawson-Zilai, a spokeswoman for the not-for-profit charitable organization that sells donated merchandise to fund job programs.

"All 20 previously affected Goodwill members have stopped using C&K Systems to process customers' payment cards," Lawson-Zilai told Information Security Media Group. "There is no longer a threat to individuals shopping at the previously affected Goodwill members' stores."

Earlier this month, Goodwill said the breach stemmed from malware known as RAW.PoS, which was used to compromise a third-party vendor. Information exposed in the breach includes names, payment card numbers and expiration dates (see: Goodwill Confirms Card Data Breach).

News of C&K Systems being the impacted vendor first came from idRADAR, an identity theft protection firm, which obtained a copy of the data breach notice Goodwill sent to the State of North Carolina that identified the third party.

C&K Systems did not respond to a request for additional information.

Remote-Access Attack?

While details on the attack on C&K Systems are scarce, two security experts say it's possible the compromise was the result of a remote-access attack.

"There is an ever-present possibility that criminals are favoring remote access-type attacks because the log-in credentials needed to access the databases and/or hardware are elements that could easily be obtained through phishing or social engineering," says John Buzzard, product manager for FICO Card Alert Service.

In July, a remote-access attack compromised Vancouver, Wash.-based food-service POS and security systems provider Information Systems & Supplies Inc. (see: POS Vendor: Possible Restaurant Breach). IS&S notified restaurants throughout the northwestern United States of the compromise that may have exposed card data linked to POS transactions.

Remote access has been the typical culprit when a single vendor's terminals have been implicated in a breach, making it a likely means of compromise in the Goodwill incident, says Al Pascual, a financial fraud and banking security analyst for consultancy Javelin Strategy & Research. "Odds are that there was a weak default or admin password in use and the system lacked any other form of authenticating a user accessing the system remotely," he says.

"This is low-hanging fruit for any organization and more needs to be done to educate businesses on these simple-to-remediate threats," Pascual says.


About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.




Around the Network