868,000 Payment Cards Compromised In US Thrift Shop Breach

US charity Goodwill Industries International has announced the results of a six week long investigation into a suspected data breach, admitting that around 868,000 customer credit and debit cards have been compromised.

The data was stolen from 330 stores across 20 US states. Just like in recent breaches at SuperValu and Target, the hackers infected Point-Of-Sale (PoS) systems with malware and then quietly downloaded card data over the course of several months.

The organisation said it already received reports about stolen cards being used to commit fraud, and advised customers to order and carefully review a free credit report.

I’ll take those flannel zebra jammies

Goodwill was founded way back in 1902 by a Methodist minister, who started collecting used clothing and other goods discarded in wealthier areas of Boston, then hired the unemployed to repair and sell them.

Today, the charity helps those less fortunate to find jobs, and runs a network of 2,900 thrift shops across the US and Canada. It earned $3.79 billion from its retail operations in 2013 alone.

In July, it emerged that the organisation was hit by hackers between February 10, 2014, and August 14, 2014.But it wasn’t Goodwill who discovered the breach – instead, it was notified about suspicious activity by the fraud investigation unit of an unnamed bank, followed by a warning from the federal authorities.

The charity hired a forensic expert who discovered malware on third-party PoS equipment used in hundreds of its franchise stores. This enabled the attackers to compromise around 868,000 payment cards. The investigation found no evidence of malware on any internal Goodwill systems, and all impacted stores have stopped using the affected vendor to process customers’ payments.

“We continue to take this matter very seriously. We took immediate steps to address this issue, and we are providing extensive support to the affected Goodwill members in their efforts to prevent this type of incident from occurring in the future,” said Jim Gibbons, president and CEO of Goodwill Industries International.

“Goodwill’s mission is to provide job training for people with disabilities and disadvantages. We provide this service to millions of people each year. They, our shoppers and our donors, are our first priority.”

Non-apology

Gibbons’ statement about “immediate steps” seems to contradict the information provided by Goodwill itself: the organisation says it was notified about the potential breach in July, but the attacks might have continued until the middle of August.

Goodwill has published a guide that includes information on how to order a credit report, and place a fraud alert or a “credit freeze” on a file – an operation that could end up costing the affected customers up to $60.

Unlike some of the previous major data breach victims, the charity is not offering customers free identity theft protection, but it did provide information about which government agencies to contact in case of identity theft.

“So who is to blame? Well in the first place it’s the job of the franchise to protect our data,” commented Mark James, security expert at ESET. “It is up to them to them ensure their POS machines are locked down and only the required [software] is allowed to run. Operating systems and any third-party software must also be up to date, and a good multi-layered protection system should be in place that includes up-to-date antivirus.”

“My recommendations would be to have multiple cards for different types of purchase, use a separate card for online purchases, and another one for large purchases over a set amount. It may seem over the top but if one gets lost or stolen, the impact on your life will be a lot less stressful.

“I would also advise consumers to always keep an eye on their credit statements to ensure there are no strange transactions. In particular look out for small amounts that don’t add up, these are often “feeler” purchases to see if the credit card is valid. They are often followed by larger amounts once verified.”

What do you do when tech fails? Take our quiz!