Cyber Incident Victim: America's Thrift Stores
Date:
Sep 2015
Location:
United States of America
Summary
A Southeastern U.S. thrift store chain experienced a payment card breach involving malware that targeted a third-party service provider, enabling unauthorized access to card numbers and expiration dates during a multi-week period. Eastern European attackers exploited the breach to produce counterfeit cards, as confirmed by banking fraud patterns, though no customer names or contact information were compromised. The for-profit organization, operating across multiple states and supporting nonprofit partners, attributed the incident to a widespread malware campaign affecting North American retailers, paralleling a previous breach at another thrift retailer linked to third-party payment system vulnerabilities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In September 2015, Americas Thrift Stores, a for-profit thrift store chain operating across the southeastern United States, experienced a cybersecurity breach affecting customer payment card data. The incident stemmed from malware targeting software managed by an unnamed third-party service provider, enabling unauthorized access by criminals based in Eastern Europe. According to the company’s CEO, the breach compromised payment card numbers and expiration dates from transactions occurring between September 1 and September 27, 2015, but did not expose customer names, phone numbers, addresses, or email addresses. The U.S. Secret Service corroborated the scope of the stolen data, emphasizing that no personally identifiable information beyond card details was accessed. Despite this assurance, multiple banking institutions reported fraudulent activity on cards used at Americas Thrift Stores locations during the breach window, indicating that attackers successfully counterfeited physical cards using the stolen data. The company publicly disclosed the incident in October 2015, urging customers who made purchases during the affected period to monitor their accounts for suspicious transactions.
Americas Thrift Stores, headquartered in Birmingham, Alabama, operated over 1,000 employees across Alabama, Georgia, Tennessee, Mississippi, and Louisiana at the time of the breach. The organization functioned as a revenue generator for nonprofit partners, distributing over $4 million annually from donated goods sales. Following the breach, the company collaborated with law enforcement, including the U.S. Secret Service, to investigate the incident but did not disclose specific containment measures or forensic findings. The breach mirrored a 2014 incident involving Goodwill stores, which was linked to vulnerabilities at third-party vendor C&K Systems, though no analogous third-party attribution was confirmed for Americas Thrift Stores. The company’s statement emphasized the malware as part of a broader pattern of attacks targeting North American retailers but provided no further technical details about the intrusion vector or malware variant. Financial institutions continued to observe fraud patterns tied to the stolen card data, confirming the operational impact on affected customers.