Goodwill alone might not be enough to protect Goodwill Industries from hackers seeking to gain financial reward.
Goodwill Industries is an international organization that seeks to help out families and individuals with job training and other services. Goodwill also operates a retail operation that sells donated goods to help fund its operations. According to Goodwill, the organization had $3.79 billion in retail sales in 2013, which might well have made the organization a juicy target for attackers.
Goodwill is currently investigating a possible payment card data breach that was first reported to the organization on July 18.
“We are currently working with the Secret Service and the payment card industry fraud investigative units to identify if a breach has occurred,” Goodwill noted in a statement sent to eWEEK. “We are proactively engaged with the payment card industry contacts, the Secret Service and all Goodwill headquarters to identify what problem, if any, exists so that we can take prompt and appropriate actions as well as communicate as needed to any affected parties.”
There are 165 independent Goodwill headquarters that collectively make up Goodwill Industries International.
Goodwill noted in its statement that a payment card industry fraud investigative unit and federal authorities informed it that select U.S. store locations may have been the victims of possible theft of payment card numbers. Goodwill stressed that the investigation is still ongoing to determine if a breach did in fact occur.
“At this point, no breach has been confirmed but an investigation is underway,” Goodwill stated.
Goodwill did not provide any additional detail on the period of time that is under investigation or how many stores or consumers might possibly be at risk.
A report from blogger Brian Krebs alleges that the possible Goodwill breach might go as far back as the middle of 2013. The report also alleges that Goodwill stores in at least 21 states have likely been impacted by the data breach.
If the Goodwill breach is confirmed, it will join a list of other U.S retailers that have been the victims of payment card breaches in the last 12 months. The biggest retail breach of the last year is Target, which impacted 70 million consumers and was first disclosed on Dec. 19, 2013. On Jan. 10, Neiman Marcus confirmed that it, too, was the victim of a data breach. More recently, on June 12, Chinese restaurant chain P.F. Chang’s confirmed that its payment card systems were also breached.
While the root causes of the various data breaches are not all known, there are a number of weaknesses in the current point-of-sale (POS) payment card systems. Some experts have pointed to the use of magnetic stripe-based credit cards instead of chip and PIN as being a weakness. Target and other retailers are now moving to implement chip and PIN to help minimize that risk.
There is also a risk from a botnet that is seeking out vulnerable POS systems. A recent report from security firm FireEye details the BrutPOS malware botnet that automatically seeks out POS systems and attempts to gain access.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.