Goodwill starts identifying stores impacted by payment processor breach
Following up on a breach first disclosed by Brian Krebs:
Goodwill Industries of Kansas has released a list of twenty stores across the state affected by a security breach it announced in July. The charity said it confirmed the breach after an extensive investigation.
The Goodwill said the stores affected used the same third-party vendor to process customer payment cards. The charity said the vendor’s system was attacked by malware and customers’ names, payment card numbers and expiration dates were exposed. There was no evidence that other personal information, such as addresses or PINs, was affected by this issue.
The Goodwill said it has since stopped using the vendor.
Read more on KWCH12.
Kansas stores weren’t the only ones affected, as locations in 19 states plus Washington, D.C. were impacted. Goodwill Industries of Sacramento Valley and Northern Nevada, Inc. submitted a copy of its notification letter to customers to the California Attorney General’s Office today with a list of 23 stores impacted in California.
An updated press release on Goodwill’s site adds some additional information:
- The malware attack affected the third-party vendor’s systems intermittently between February 10, 2013, and August 14, 2014. Some stores experienced shorter periods of impact. A list of the Goodwill members’ store locations that used the affected vendor during the relevant time period is available on GII’s website at
- Goodwill members have received a very limited number of reports from the payment card brands of fraudulent use of payment cards connected to Goodwill members’ stores.
None of the public sources name the vendor.