FORT WAYNE, Ind. (WANE) – Goodwill Industries International said a third-party vendor’s systems were attacked by malware.
The company announced the breach in July, but provided the results of an extensive investigation Tuesday.
Goodwill said it hired a third-party forensic expert to investigate the breach and determined malware found on the vendor’s systems likely enabled criminals to access some payment card data of a number of customers. The impacted Goodwill stores used the same affected third-party vendor to process credit card payments.
Goodwill said immediate action was taken to stop the threat.
The company said the malware may have accessed customer’s payment card information, including: names, card numbers, and expiration dates. No information was found to include personal information, such as addresses or PINs.
Several southern Indiana stores were impacted. Stores in Celina and Van Wert, Ohio were on a list provided by the company.
“We continue to take this matter very seriously. We took immediate steps to address this issue, and we are providing extensive support to the affected Goodwill members in their efforts to prevent this type of incident from occurring in the future,” said Jim Gibbons, president and CEO of Goodwill Industries International. “We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent thistype of unfortunate situation from happening again. Goodwill’s mission is to provide job training for people with disabilities and disadvantages. We provide this service to millions of people each year. They, our shoppers and our donors, are our first priority.”
Goodwill said none of its internal systems were compromised.
The investigation found the vendor’s systems were intermittently attacked between Feb. 10, 2013 and Aug. 14, 2014.
Goodwill continues to work with federal law enforcement and banks on the security breach.