Goodwill payment systems compromised

Just when you might have thought there wasn’t anymore staying power in the parade of stories about point of sale systems being hacked we find that even Goodwill isn’t immune.

Last week the organization confirmed that their point of sale systems had in fact been compromised and that twenty customers were affected. Wait…only twenty? The problem with the payment systems of their digital supply chain partner was that they were infected with malware from February 10, 2013 until the discovery of the issue August 14, 2014. So…they’re telling us that in that time frame only twenty customers were affected? I’m sorry but, I’m having a hard time believing that even if they are primarily a cash based business model. 

From Goodwill’s undated press release:

Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers. Investigators are currently reviewing available information. At this point, no breach has been confirmed but an investigation is underway.

Since that release was posted (at some unknown date) the compromise has been confirmed. The customers involved would have made purchases between June 25, 2013 and August 14, 2014. No word as to why there is a discrepancy between the infection in February and the June date for the first customer that was affected. 

The investigation by federal law enforcement is still underway. They have prepared a letter to go out to affected customers that, for some unknown reason, has hyperlinks in it. A printed letter. 

Rather than offering credit protection for the affected parties, Goodwill pointed out that they can get free credit reporting from the three major credit reporting agencies as prescribed under US law.