Even companies whose aim is to help others aren’t immune to attacks from computer hackers looking to steal payment card information. Recently there have been a number of reports that Goodwill Industries was investigating a possible data breach that would have exposed debit and credit cards used to purchase items in various Goodwill stores. The incident, which Goodwill learned about on July 18th, was brought to the company’s attention after sources in the financial industry identified multiple locations as likely points of compromise. While Goodwill Industries has not confirmed that there was a breach of their systems, they did state, “Goodwill Industries International is working with industry contacts and the federal authorities on the investigation.”
Who was affected?
Since this attack is still in the early stages of investigation, it is hard to put a number on how many people might have had payment card data exposed, as a result, of this breach. Goodwill Industries operates over 2,900 stores however sources state that there has been a pattern of fraudulent activity on cards that were used at Goodwill stores in the states of Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin. Some reports from financial industry sources say that this breach could have extended back as far as 2013 so the end number could be rather large.
How did this happen?
Since little has been released about the specifics, knowing how hackers were able to steal this data is not yet known. It is possible that they could have installed malware at the point of sale terminals at different Goodwill stores to steal information when cards were swiped. Another scenario could be that the database where card information is stored was compromised, and the card numbers were stolen from there.
How were consumers notified?
Goodwill Industries did release information in regards to the potential breach on their company website, and they have responded to multiple news sources in regards to this possible attack. States like California require that companies that have allowed their customer information to be compromised notify them in writing. Since stores in the state of California were likely part of this attack individual notifications will follow if there is evidence that customer information was stolen.
How were consumers impacted?
Regardless of who was attacked, customers have been dealing with fraudulent charges made to their payment cards. As in all hacking attacks where debit and credit cards are affected, customers will have to keep a close eye on charges against their cards, as well as their credit scores, so they can quickly dispute any charges that they did not make.
How was the company impacted?
If further evidence proves that Goodwill Industries was at fault for losing payment card data there will be fines and restitutions that will be made at their expense. How much they will be made to pay depends upon how many customers were affected by this incident. The practice of paying for credit monitoring for customers after personal information is exposed may also be an expense that Goodwill may need to bear.
How can they fix it?
Many times, non-profit agencies do not think that they will be targeted by hackers because they don’t present as a worthwhile target. When malicious hacking was done to gain a reputation or to cause mischief this may have been the case however now that criminal organizations are behind computer crimes, anyone is a target. Goodwill’s investigation will likely turn up the cause of the breach, if there is one. Likely it will stem back to the malware being installed on their network at some point so fixing the problem will require a review of anti-virus updates and a comprehensive training program for employees so they can learn to spot suspicious activity before it becomes a problem.