Goodwill Industries has acknowledged that it's investigating a possible credit card breach affecting several of its locations nationwide.
Krebs on Security's Brian Krebs reports that Goodwill was warned on July 18, 2014 by a payment card industry fraud investigative unit and federal authorities that payment card numbers may have been stolen from some Goodwill stores.
"Investigators are currently reviewing available information," Goodwill said in a statement. "At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation."
Krebs says sources in the financial industry have told him a pattern of fraud has been found on cards that were previously used at Goodwill stores in at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.
Goodwill was the common point of purchase for the affected cards, which were then used to make fraudulent purchases at big box retailers and supermarkets, which Krebs notes is consistent with similar breaches at Target, Neiman Marcus, Michaels, Sally Beauty and P.F. Chang's.
While the timeline isn't yet clear, Krebs' sources say the Goodwill breach may date back to the middle of 2013.
AlienVault Labs director Jaime Blasco said by email that these breaches demonstrate that prevention is no longer the way to go. "Instead, organizations need to invest in threat intelligence technology and data-sharing initiatives to be able to detect, respond and contain these kinds of threats," he said. "The financial industry has been sharing this type of data for years -- but we need more open, collaborative sharing where more organizations across industries have the knowledge and resources to detect and defend against these attacks."
To that end, in May of 2014, the Retail Industry Leaders Association (RILA) launched the Retail Cyber Intelligence Sharing Center (R-CISC), which RILA president Sandy Kennedy described at the time as a "comprehensive resource for retailers to receive and share threat information, advance leading practices and develop research relevant to fighting cyber crimes."
Still, Philip Casesa, director of IT/service operations at (ISC)2, pointed out by email that as a non-profit, Goodwill isn't in a position to spend significant amounts of money on high-end security solutions. "This seems be the new fad -- hackers pick on companies with high volume transactions where security is an afterthought because of corporate culture, thin sales margins or, in this case, an organization with a positive mission looking to maximize benefits to the community," he said. "To hackers, these organizations are villages waiting to be pillaged."
"At the end of the day, the real shame here is that Goodwill now has to divert attention and resources to this incident, instead of focusing on their mission to help individuals and families," Casesa said.