Cyber Incident Victim: Goodwill Industries

On January 14, 2022, Goodwill publicly disclosed a data breach impacting customers of its ShopGoodwill.com e-commerce auction platform. The nonprofit organization confirmed that unauthorized third parties exploited a vulnerability in the platform’s website, resulting in the exposure of buyers’ personal contact information. According to ShopGoodwill Vice President Ryan Smith, the compromised data included affected individuals’ first and last names, email addresses, phone numbers, and mailing addresses. The breach notification letters clarified that payment card information remained unaffected, as ShopGoodwill does not store such data on its servers. Smith emphasized that while attackers accessed buyer contact details, they did not compromise user accounts on the platform. Goodwill did not specify the exact number of affected individuals or the timeframe during which the vulnerability was actively exploited.

Upon identifying the issue, Goodwill addressed the vulnerability and secured its systems to prevent further unauthorized access. The organization notified impacted customers directly via breach notification letters, advising them to monitor their personal information for misuse. Smith stated ShopGoodwill’s commitment to safeguarding user data and apologized for any concern caused by the incident. The nonprofit directed individuals with unresolved questions to contact [email protected] and pledged to provide updates if additional relevant information emerged. Goodwill, which reported assisting over 25 million people with disabilities or disadvantages in 2019 and training 230,000 individuals for careers in sectors like IT and healthcare, operates its e-commerce platform alongside a global network of thrift stores. A Goodwill spokesperson declined to comment further when contacted by BleepingComputer on the disclosure date.