Goodwill: Malware At Third-Party Payment Processor Caused Breach


A payment processor had malware on its systems for more than a year, enabling cybercriminals to gain access to credit card data traced to Goodwill Stores throughout the U.S., according to the nonprofit organization, which issued a statement about the data breach this week.

The Rockville, Md.-based nonprofit organization, which oversees the membership of 2,900 independently operated retail stores in the U.S. and Canada, said the malware infected the payment processor's systems on Feb. 10, 2013, and Aug. 14, 2014. The breach affected Goodwill Stores between June 25, 2013, and Aug. 14, 2014, said President of Goodwill of Sacramento Valley & Northern Nevada Joseph R. Mendez in a letter sent out to affected customers.

The exposed data impacted 330 stores in 20 states and included customer names, payment card numbers and expiration dates. Mendez said there is no evidence that customer addresses or PINs were exposed during the security incident. Investigators believe the security lapse resulted in more than 800,000 stolen credit and debit cards.

"We realize that data security is an issue that every retailer and consumer needs to be more and more aware of today," Mendez said. "We deeply regret any inconvenience this may cause. Our primary concern is for the people we serve -- our community, our shoppers and our donors -- and we are committed to ensuring that your information is safe and secure."

[Related: POS Resellers To Clients: You're Just As Vulnerable As The Big Retailers]

Goodwill learned about a possible security lapse in July by a financial industry fraud investigative unit and the U.S. Secret Service, which traced suspicious activities to some of its U.S. store locations. Goodwill is taking steps to prevent the breach from happening again, said Mendez, who urged customers to monitor their accounts for fraudulent activity.

Goodwill did not name the third-party vendor that had the lapse but said it has stopped using it to process payments. In one of the largest credit card breaches at the time, a security breach in 2009 exposed 100 million credit cards at Heartland Payment Systems, a Princeton, N.J.-based payment processor. The company later advocated for stronger data encryption measures.

Third-party data security lapses have been identified as a serious challenge for businesses and merchants attempting to safeguard sensitive data. The Payment Card Industry Data Security Standards was recently updated to advise merchants to be vigilant about evaluating the PCI compliance of business partners, including the solution providers and resellers of payment terminals and point-of-sale system software. Maintaining compliance with industry standards is an ongoing process, said John Oetinger, a sales executive at Missoula, Mont.-based solution provider Corporate Technology Group.

"What they're trying to accomplish with compliance is common-sense security best practices anyway," Oetinger said. "People should be paying attention to compliance-type metrics no matter what."

Security and compliance are a constant struggle for midsize businesses, said Kevin Willette, owner of Fridley, Minn.-based solution provider Verus, which assists firms in meeting health-care and payment industry compliance mandates.

Despite high-profile data breaches, network monitoring and tools to help minimize downtime are some of the fastest-growing areas of the business, Willette said. Some customers called Verus to help identify and remove the Cryptolocker ransomware, which locked up critical systems and temporarily brought systems to a halt, he said.

"Security is top of mind but at the end of the day, businesses want to minimize disruption to operations as much as possible," Willette said.

Meanwhile, Home Depot executives also are urging customers to closely monitor their accounts for suspicious activity as a team of forensics investigators probe unusual activity that might indicate a possible payment data breach. In a message to customers on its website, Home Depot apologized for the uncertainty during the investigation, which includes participation from its banking partners and the U.S. Secret Service. 

"If we confirm a breach has occurred, we will make sure our customers are notified immediately," the company said. "You will not be responsible for any possible fraudulent charges. The financial institution that issued your card or Home Depot are responsible for those charges should we confirm a breach."

Banks Tuesday reportedly had linked a new cache of stolen credit card data that surfaced on an underground hacking forum to a possible breach at Home Depot. The security lapse may impact all 2,200 of its stores.

PUBLISHED SEPT. 4, 2014