Goodwill Confirms Data Breach, Claims Backoff Isn't the Culprit
A data breach that involved potentially 868,000 credit cards and was first suspected back in July is now confirmed.Goodwill Industries confirmed on Sept. 3 that it was in fact the victim of a data breach; surprisingly, however, that breach is not the result of Backoff point-of-sale (PoS) malware. The Goodwill breach was initially reported on in July by eWEEK and other media outlets as being under investigation by Goodwill and the U.S. Secret Service. Goodwill is an international organization that helps families and individuals in need with job training and other services. It funds its efforts in part through a network of retail locations where donated goods are sold. Lauren Lawson-Zilai, director of public relations and national spokesperson for Goodwill Industries International (GII), told eWEEK in an email that when the organization became aware of the data security issue, it informed the public on July 21. Since then, Lawson-Zilai said that GII and the 20 impacted Goodwill members engaged a third-party forensic expert to conduct an extensive investigation. GII and the 20 Goodwill members have been working closely with federal law enforcement authorities to determine the facts, she added.
With the forensic investigation complete, GII is now providing details on what actually occurred. That attack is thought to have been operational between Feb. 10, 2013, and Aug. 14, 2014, and was directed against a third-party vendor's systems. In total, 20 Goodwill members responsible for 330 Goodwill stores were affected by the breach. Approximately 868,000 credit cards are potentially involved in the data breach.