• United States




Goodwill payment systems compromised

Sep 04, 20142 mins
SecuritySupply Chain Management Software

Just when you might have thought there wasn’t anymore staying power in the parade of stories about point of sale systems being hacked we find that even Goodwill isn’t immune.

Last week the organization confirmed that their point of sale systems had in fact been compromised and that twenty customers were affected. Wait…only twenty? The problem with the payment systems of their digital supply chain partner was that they were infected with malware from February 10, 2013 until the discovery of the issue August 14, 2014. So…they’re telling us that in that time frame only twenty customers were affected? I’m sorry but, I’m having a hard time believing that even if they are primarily a cash based business model. 

From Goodwill’s undated press release:

Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers. Investigators are currently reviewing available information. At this point, no breach has been confirmed but an investigation is underway.

Since that release was posted (at some unknown date) the compromise has been confirmed. The customers involved would have made purchases between June 25, 2013 and August 14, 2014. No word as to why there is a discrepancy between the infection in February and the June date for the first customer that was affected. 

The investigation by federal law enforcement is still underway. They have prepared a letter to go out to affected customers that, for some unknown reason, has hyperlinks in it. A printed letter. 

Rather than offering credit protection for the affected parties, Goodwill pointed out that they can get free credit reporting from the three major credit reporting agencies as prescribed under US law. 


Dave Lewis has over two decades of industry experience. He has extensive experience in IT security operations and management. Currently, Dave is a Global Security Advocate for Akamai Technologies. He is the founder of the security site Liquidmatrix Security Digest and co-host of the Liquidmatrix podcast.

The opinions expressed in this blog are those of Dave Lewis and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author