Report: Goodwill Locations Hit By Credit-Card Breach
The charitable nonprofit group reported evidence that its payment systems were recently attacked and announced an investigation. Although Goodwill stores in multiple states may have been affected, the nonprofit's decentralized organizational structure could limit the damage.
A nonprofit organization that dovetails into retail is feeling the pain of a potential data breach this week.
Goodwill Industries International, Inc., a charitable nonprofit with more than 2,900 stores in the U.S. and Canada, learned from federal authorities that “select” stores may have been targeted in the theft of credit card numbers.
In a statement, Goodwill said that “no breach has been confirmed but an investigation is underway.”
The nonprofit may be partially protected by an organizational structure that makes it unlikely that all of its customers would be affected. Goodwill has 165 regional headquarters in the U.S. and Canada, with no centralized point-of-sale system.
However, tech security journalist Brian Krebs reported Monday that stores in 21 states showed patterns consistent with fraud, including locations in Arkansas, California, Colorado, Florida, Georgia, Illinois, Iowa, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington, and Wisconsin. The duration of the attack is unclear, but there’s evidence that it may have begun about a year ago, Krebs reported.
The breach echoes other instances of credit card theft—including breaches at Target, P.F. Chang’s, and Michaels—but has a darker tinge to it, due to Goodwill’s charitable mission.
One security expert noted that Goodwill will likely need to spend money intended for jobs programs to upgrade its point-of-sale systems.
“Like most nonprofits, they have a core mission, and spending significant dollars on high-end security for point-of-sale systems are dollars not going toward fulfilling that mission,” (ISC)2 Director of IT/Service Operations Philip Casesa told CSO magazine.
Meanwhile, industry groups such as the Retail Industry Leaders Association have been working on the cybersecurity issue in the wake of the Target breach.