A possible breach at Goodwill is bad, but nothing special

Last week, Goodwill Industries International was alerted by federal authorities to a possible payment card breach at several of their U.S. locations. Reaction to this news has been typical for the most part, as they’re yet another retailer that has to deal with the aftermath of a potentially massive security incident.

On Monday, Goodwill addressed the situation in a statement:

“At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation.”

At the same time, many of the comments in the hours following this announcement seem to take the stance that an attack against Goodwill, which is a network comprised of 165 agencies in North America that sells donated goods (clothing and household items) and uses the proceeds to fund job training and employment initiatives, is especially tragic.

“As an IT and security professional, I feel for Goodwill on this breach. Like most non-profits, they have a core mission; and spending significant dollars on high-end security for point of sale systems are dollars not going toward fulfilling that mission,” commented Philip Casesa, Director of IT/Service Operations for (ISC)2.

“The situation seems to be the new fad,” he added, noting that criminals are picking on companies with high volume transactions, where security is an afterthought because of corporate culture, thin sales margins or, in Goodwill’s case, “an organization with a positive mission looking to maximize benefits to the community.”

“At the end of the day, the real shame here is that Goodwill now has to divert attention and resources to this incident, instead of focusing on their mission to help individuals and families.”

What fad?

Passively, this statement seems to excuse Target – the only other major retailer breach of note this year – for their problems, while simultaneously painting Goodwill as some sort of special victim. Moreover, are the criminals somehow especially evil in this case, just because they targeted a charitable organization? No, they’re not. They’re criminals, nothing more, nothing less.

If Goodwill was in fact breached, it’s bad. They were victimized, and those who shop there and help support the organization’s goals are potentially at risk. However, they’re no better or worse than Target.

And if Target isn’t part of this alleged fad, who is? Neiman Marcus? P.F. Chang’s? Michaels? Sally Beauty? None of them operate on the same level of volume with regard to sales and reach, and their missions aren’t even close to what Goodwill does.

“Many organizations have been in denial for too long – executives are tempted to think ‘why would anyone come after us?’,” said Dr. Mike Lloyd, CTO at RedSeal Networks.

“Many industries are loved by the public, and can lapse into thinking they don’t have enemies, and so don’t really need to worry about security. But the fact is that attackers use automation, and search for any door you leave open in your infrastructure – they can twist doorknobs on a global scale, and they don’t much care which doors they open.”

If Goodwill was breached, and indications so far seem to point to a problem of some type, it’s bad. But the organization isn’t alone. Others were breached before them; others will follow, so they’re no snowflake.

If anything, Casesa’s comments outline the reality that security isn’t something that can be taken addressed by throwing money at it. Security is a process that has to evolve with the organization – a process that’s always easier to outline on paper and speak about, than it is to implement.