In July of this year, Goodwill suffered a massive data breach affecting more than 330 store locations in at least 21 states. C&K Systems Inc., Goodwill's payment vendor, reported this week that the breach lasted for about 18 months prior to its discovery and shutdown.
C&K announced that security investigators the company hired after the breach discovered that hackers had intermittent access to Goodwill's systems from February 10 to August 14, with the incident being discovered on May 5.
The company's statement reported: "This unauthorized access currently is known to have affected only three customers of C&K, including Goodwill Industries International. While many payment cards may have been compromised, the number of these cards of which we are informed have been used fraudulently is currently less than 25."
The other two victims of the attack have not been disclosed, and we don't know how many cards were put at risk as a result of the breach.
The malware used to hack the C&K systems was a sophisticated version of the malware known as infostealer.rawpos, which is a memory scraping tool that affects swipe cards at point of sale systems. The hackers, most likely one or several criminal rings located in Eastern Europe and Russia, stole information a little at a time, so that the origin of the fraudulent cards on the market would be difficult to detect.
This approach worries security experts, because it suggests long-term planning and a more effective type of cyber-criminal that we may not be able to outrun in the future.
Be sure your credit card payment software is protected with the latest security technology. It's much easier to take preventative, defensive action than it is to clean up the mess of a nasty breach.