Cyber Incident Victim: Goodwill Industries
Date:
Feb 2013
Location:
United States of America
Summary
Goodwill Industries experienced a credit card data breach impacting stores across multiple states due to compromised point-of-sale systems managed by a third-party provider. Attackers infiltrated the provider's hosted services platform using customized memory-scraping malware designed to capture unencrypted payment card data during transactions, evading detection for over 18 months. The breach affected at least two additional unnamed retailers and was discovered after financial institutions traced fraudulent transactions to compromised cards. Forensic analysis linked the incident to criminal organizations employing sophisticated, long-term attacks targeting retail payment systems, with similarities to other major breaches but involving distinct malware variants. The theft bypassed existing security standards by intercepting card data before encryption.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Goodwill Industries credit card data breach was first publicly reported in July 2014 after security journalist Brian Krebs traced the incident back to compromised point-of-sale systems managed by third-party vendor C&K Systems. Forensic investigation determined attackers intermittently accessed C&K's Hosted Managed Services Platform between February 10, 2013 and August 14, 2014—a period exceeding 18 months. This platform supported Goodwill's retail operations across at least 21 states through a managed services contract that outsourced POS system administration. C&K confirmed the breach impacted Goodwill and two additional unnamed retail clients, though no other customers were affected. The intrusion remained undetected until September 5, 2014, when security software identified a specialized variant of infostealer.rawpos malware designed to harvest payment card data from memory during transaction processing.
Attackers employed memory-scraping malware that captured unencrypted credit card details immediately after card swipes, bypassing PCI security standards by intercepting data before encryption. Financial institutions discovered the breach by tracing fraudulent transactions—primarily occurring at big-box retailers and grocery stores—back to compromised cards used at Goodwill locations. These fraudulent purchases frequently involved gift cards or easily resold merchandise convertible to cash. The breach timeline overlaps with high-profile incidents at Target, Home Depot, and Neiman Marcus, though those attacks utilized different malware (BlackPOS), suggesting multiple criminal groups were conducting parallel operations. C&K's forensic analysis revealed the attackers operated intermittently over the extended period, extracting data without triggering detection mechanisms. No reliable estimate of compromised cards was established, and complete accounting of affected consumers was deemed unlikely. The incident highlighted systemic vulnerabilities in third-party managed POS services and accelerated industry discussions about transitioning to EMV chip-and-PIN technology, with Visa and MasterCard planning liability shifts for magnetic stripe fraud by October 2015 to incentivize security upgrades.