Analyzing Possible Goodwill BreachIssuers Suspect Other Merchants Could Be Affected
Card issuers working to trace suspicious transactions that could be linked back to a possible payments breach at Goodwill Industries International suggest more merchants could be affected.
One card issuer says the possible compromise of credit and debit card data could be the result of a point-of-sale device or software vulnerability, which, if confirmed, likely impacted more than just Goodwill.
Goodwill is a not-for-profit charitable organization that sells donated merchandise to fund job programs. It generated $1.79 billion retail sales in 2013 and operates more than 2,900 stores along with an online auction site. The membership organization has 165 independent headquarters throughout the U.S. and Canada and an international presence in 14 other countries.
On July 18, Goodwill was contacted by federal authorities and an unnamed "payment card industry fraud investigative unit" about a possible card compromise, according to a statement provided to Information Security Media Group. On July 22, the charity posted an updated statement to its website, saying it had initiated an investigation into the possible breach with federal authorities.
So far, no breach of payments data has been confirmed.
"We are proactively engaged with the payment card industry contacts, the Secret Service and all Goodwill headquarters to identify what problem, if any, exists so that we can take prompt and appropriate actions as well as communicate appropriately to any affected parties," says Goodwill spokeswoman Laruen Lawson-Zilai.
Reviewing Fraud Activity
An executive with a Midwestern bank who's reviewing fraudulent activity that might be connected to Goodwill purchases tells Information Security Media Group the suspected breach could date back to January.
But determining the exact point of compromise origin has proved challenging, says this executive, who asked to remain anonymous. That's because some issuers now believe numerous merchants, including Goodwill, may have been impacted by a malware attack that remotely compromised point-of-sale terminals via a software vulnerability.
Remote-access vulnerabilities have been linked to a number of recently suspected card data compromises, including one involving the breach of a LogMeIn account used by Vancouver, Wash.-based Information Systems & Supplies Inc. last month. IS&S is an independent POS systems and security provider that caters to the food-service industry (see POS Vendor: Possible Restaurant Breach).
On June 12, IS&S alerted some of its restaurant customers about a remote-access compromise that may have exposed card data linked to POS transactions conducted between Feb. 28 and April 18 of this year. LogMeIn is a remote access and systems management provider that facilitates, among other things, file sharing and data backup.
Security risks associated with remote access have been blamed for breaches at other restaurants chains and retailers. For example in 2011, investigators uncovered a remote software weakness that hackers exploited for nearly three years, allowing them to access the POS networks of more than 150 Subway restaurant franchises and other merchants. And in the spring of 2013, federal investigators traced POS malware that targeted a select group of Kentucky and Southern Indiana merchants back to a remote software vulnerability (see Retailers Attacked by POS Malware).
Marjorie Meadors, assistant vice president and head of card-fraud prevention for Louisville-based Republic Bank & Trust, one of the issuing banks impacted by the 2013 attack, contends that POS vendors and remote-access software are among the payments industry's weakest security links. "The software companies cause the problem but get off totally free," she says.
No Centralized Network
Goodwill did not respond to ISMG's request for information about the type of POS terminals and software used in its U.S. locations. But spokeswoman Lawson-Zilai says the organization does not have a centralized point-of-sale network. Whether the possible breach impacted sales made through the organization's online auction site also has not been noted by Goodwill.
"Goodwill Industries International is composed of 165 autonomous, independent agencies with headquarters throughout the United States and Canada, and an international presence in 14 other countries," Lawson-Zilai says. "Each of these headquarters is governed by a local president and CEO. In addition, each Goodwill headquarters operates the stores and donation centers within its territory. There is not one central point-of-sale network."