Yesterday it was announced that a number of financial institutions reported tracking what could be a series of credit card breaches involving various Goodwill locations nationally. Goodwill operates more than 2,900 stores nationwide and has annual retail sales of $3.79 billion. Goodwill issued a statement indicating it is working with the U.S. Secret Service to investigate the possible breaches. At this juncture the scope of the breach remains unknown, but early reports suggest Goodwill’s systems could have been compromised as far back as the middle of 2013.
Banking sources have also reported the potential fraud involves retail stores in Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington, and Wisconsin. Because Goodwill consists of a network of 165 independent agencies with separate regional headquarters in the United States, there is no centralized database containing customer credit card information. While this will make an investigation more difficult, it will also limit the scope of a breach and number of customers impacted.
In a statement sent to Krebs on Security, Goodwill said it first learned about a possible incident Friday, July 18.
“Goodwill Industries International was contacted last Friday afternoon by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers,” the company wrote in an email. “Investigators are currently reviewing available information,” the statement continued. “At this point, no breach has been confirmed but an investigation is underway. Goodwills across the country take the data of consumers seriously and their community well-being is our number one concern. Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”