In July, security bloggers first reported signs indicating that hackers might have gained access to the customer database of Goodwill stores throughout the nation, in order to steal credit-card numbers and similar information.
At the time, spokespeople for Goodwill would only confirm that “a payment card industry fraud investigative unit and federal authorities” had warned the company about the possibility of malware-driven data theft.
This week, however, Goodwill confirmed the full story: yes, customer information was stolen from many (though not all) Goodwill locations, due to a malware attack against the “third-party vendor” Goodwill hired to process credit card payments.
The good news is that, as bad as the attack was, it wasn't quite as far-reaching as initial reports suggested. Prelimiary reports in July seemed to indicate that stores in at least 21 states were hit, though in reality, it “only” affected stores in 19 states and the District of Columbia.
The forensic investigation has confirmed that a third-party vendor’s systems were attacked by malware, enabling criminals to access some payment card data of a number of the vendor’s customers. The impacted Goodwill members used the same affected third-party vendor to process credit card payments. Each of the impacted Goodwill members took immediate action to ensure that the malware found on the third-party vendor’s systems no longer presents a threat to individuals shopping at the affected Goodwill members’ stores. … The malware attack affected the third-party vendor’s systems intermittently between February 10, 2013, and August 14, 2014.
Goodwill posted a list of all affected stores, including the full street address of each location, and the dates each individual store was affected. The affected stores were in Alabama, California, Colorado, Florida, Georgia, Illinois, Indiana, Kansas, Louisiana, Maryland, Missouri, North Carolina, New Mexico, Ohio, Pennsylvania, South Carolina, Tennessee, Virginia, West Virginia and Washington, D.C.
Goodwill also added “If [a] state does NOT appear on this list, it has not been affected.” Of course, the corollary to that statement is: If you made a credit- or debit-card purchase in any Goodwill store in any of those states since February 2013, you must check this list to see if the specific store you patronized was attacked. If so, make sure you take all the standard precautions to protect yourself from identity theft.