Goodwill: 868,000 Cards CompromisedMalware Used in Compromise of Third-Party Vendor
Goodwill Industries International says in an update about a breach affecting about 330 of its stores that approximately 868,000 payment cards were exposed. The breach stemmed from malware used to compromise a third-party vendor used "to process credit card payments" (see: Goodwill Confirms Card Data Breach).
Information exposed in the breach includes names, payment card numbers and expiration dates of certain Goodwill customers. There is no evidence that other customer personal information, such as addresses or PINs, were affected by the malware, Goodwill says.
The malware involved in the breach is known as RAW.Pos, says Lauren Lawson-Zilai, a spokesperson for Goodwill, the not-for-profit charitable organization that sells donated merchandise to fund job programs. The investigation found no evidence of malware on any internal Goodwill systems, she says.
Goodwill says it's not naming the third-party vendor involved in the card data breach due to an ongoing federal criminal investigation.
Goodwill comprises a network of 165 independent headquarters. Some 20 of those "members" were affected by the breach. "The impacted Goodwill members used the same affected third-party vendor to process credit card payments," the charity reports.
The strain of malware identified by Goodwill isn't well-known among researchers, says Adam Kujawa, head of malware intelligence at Malwarebytes, an anti-malware and Internet security software firm. "I am not familiar with that particular family of POS malware nor can I find anyone else who has heard of it or done any analysis on it," he says.
"Maybe it has a more commonly used name," Kujawa says. "At the end of the day though, the operation of any point-of-sale malware is the same; the biggest differences lie in how the data is transmitted and how the malware hides itself on the infected system."
Lucas Zaichkowsky, enterprise defense architect with AccessData, an e-discovery and computer forensics provider, also hasn't heard of RAW.Pos before, echoing Kujawa's observations. "It probably has a better known alias," he says.
Because Goodwill stores do not have addresses for their customers, a press release and other external communications were issued as part of a substitute notification plan, Lawson says. "Our primary concern is for the people we serve ... and we are committed to ensuring that their information is secure," she says. "We wanted to notify customers as soon as we had new details pertaining to the investigation."
Goodwill is not offering free credit monitoring services at this time, Lawson says, because Social Security numbers were not affected. "Rather, we encourage customers to review their account statements and report any suspicious activity to their bank or card issuers immediately," she says. "Protecting the privacy of Goodwill's customers' payment card data is extremely important to us, and we deeply regret that this occurred."
Kujawa at Malwarebytes says the Goodwill announcement shows the company is taking responsibility for the breach and informing their customers of the potential dangers. "We are still coming out of a period where revealing cyber-attacks was taboo and meant suicide for your business if anyone ever found out about it," he says. "Now that cyber-attacks are more than just a rare occurrence but almost an everyday risk every time someone turns on their computer, individuals and organizations need to communicate more so that we can do our best at securing our online world."
Approximately 330 stores in 20 states were affected by the compromise, Goodwill says (Click here for the complete list of impacted stores and the time periods when they were compromised).
The impacted locations - which represent more than 10 percent of Goodwill's 2,900 stores - all used the same third-party vendor that was breached. The malware affected the vendor's systems intermittently between Feb. 10, 2013, and Aug. 14, 2014, Goodwill says.