Approximately 330 stores in 20 states were affected by the compromise, according to the not-for-profit charitable organization that sells donated merchandise to fund job programs (Click here for the complete list of impacted stores and the time periods when they were compromised).
The impacted locations - which represent more than 10 percent of Goodwill's 2,900 stores - all used the same processor, which was not identified in the charity's announcement. The malware affected the processor's systems intermittently between Feb. 10, 2013, and Aug. 14, 2014, Goodwill says. There was no evidence of malware on any internal Goodwill systems, the investigation confirmed.
Goodwill comprises a network of 165 independent headquarters. Some 20 of those "members" were affected by the breach. "The impacted Goodwill members used the same affected third-party vendor to process credit card payments," the charity reports.
Information exposed in the breach includes names, payment card numbers and expiration dates of certain Goodwill customers. There is no evidence that other customer personal information, such as addresses or PINs, were affected by the malware, Goodwill says.
Fraud ReportsThe charity says it received a very limited number of reports from the payment card brands of fraudulent use of payment cards connected to Goodwill stores.
"We want you to know that we and our impacted Goodwill members have taken steps to secure customers' data, and all impacted stores have stopped using the affected third-party vendor to process customers' payment cards," says Jim Gibbons, president and CEO of Goodwill. "We also took immediate action to ensure the malware found on the third-party vendor's systems does not present a threat to individuals shopping at our stores."
The breach was confirmed following a forensics investigation launched in July when news of a possible breach first surfaced (see: Analyzing Possible Goodwill Breach). Goodwill worked closely with federal law enforcement authorities and the payment card brands in conducting the investigation.
Goodwill did not immediately respond to a request for additional information.