Goodwill Industries recently issued an update regarding a credit card breach that was first disclosed in July of 2014.
In Goodwill’s initial announcement regarding the incident, the company had stated that a breach hadn’t yet been confirmed, but that the possibility was being investigated.
In its recent update, Goodwill said a forensic investigation had found that a third-party vendor’s systems had been attacked by malware, providing the attackers with access to the credit card data of several of that vendor’s customers intermittently between February 10, 2013 and August 14, 2014.
“The impacted Goodwill members used the same affected third-party vendor to process credit card payments,” the company stated.
According to the update, the forensic investigation determined that 330 Goodwill stores in 20 states, representing about 10 percent of all Goodwill stores, were affected, but that no internal Goodwill systems had been infected with malware.
Forbes reports that approximately 868,000 payment cards were compromised.
Still, the company says only names, payment card numbers and expiration dates were exposed — no other personal information such as mailing addresses or PINs was impacted.
“We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again,” Goodwill president and CEO Jim Gibbons said in a statement.
An idRADAR report uncovered one piece of information that wasn’t in Goodwill’s update — the identity of the third-party vendor involved in the breach, retail point-of-sale (PoS) solutions provider C&K Systems, which boasts more than 500 business clients.
A data breach noticed filed with the State of North Carolina identified C&K as the vendor involved, and also stated that Goodwill is “no longer using the affected vendor’s systems to process payment card transactions.”
Third party vendors are a common sources of security breaches. As Rapid7 global security strategist Trey Ford recently told eSecurity Planet, “Attackers are going to be like water — they’re going to follow the path of least resistance. So it may be that a lot of your core systems are very carefully measured, but you don’t get to wash your hands and shrug off liability when you give sensitive data to external companies.”
Data breaches at AT&T, Lowe’s and AutoNation earlier this year were also caused by third-party vendors — and more recently, Legal Sea Foods began informing an undisclosed number of mail order customers who had made online purchases between January 1, 2014 and May 21, 2014 that “the company that operates a segment of our mail order Web sales and e-commerce environment” had been breached, potentially exposing their names, credit card numbers, expiration dates and CVV codes.
“To prevent this from happening again, we required our vendor to move this segment of our mail order and e-commerce system to a new server environment with enhanced security measures,” Legal Sea Foods director of mail order Lisa Landry wrote in the notification letter [PDF].