Threatwatch

Goodwill charity stores suffer payment card breach

Payment device infection; User accounts compromised

Locations nationwide selling donated items have been identified as a likely point of compromise for an unknown number of credit and debit cards.

“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. “Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”

Sources tell Krebs they have traced a pattern of fraud on cards that were previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.

The fraudulent charges, on cards (legitimately) used at Goodwill, occurred “at non-Goodwill stores, such as big box retailers and supermarket chains,” Krebs writes. “This is consistent with activity seen in the wake of other large data breaches involving compromised credit and debit cards, including the break-ins at Target, Neiman Marcus, Michaels, Sally Beauty, and P.F. Chang’s.”

sector

Nonprofit

reported

July 21, 2014

reported by

Krebs on Security

number affected

Unknown

location of breach

United States

perpetrators

Criminals

location of perpetrators

Unknown

date breach occurred

as far back as the middle of 2013

date breach detected

July 18, 2014