Bad news for thrift-store shoppers: though details remain sketchy, it appears certain that hackers have breached the customer credit-card database of Goodwill Industries.
Security blogger Brian Krebs first broke the news on Monday, after his sources reported that financial institutions have been tracking a new series of fraudulent credit-card purchases. Though the fraudulent charges have mostly been made in major supermarkets or big-box retail stores, the stolen card numbers' common point of purchase appears to be Goodwill stores in at least 21 different states: Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.
It's not known exactly how long this breach has existed, but Krebs' sources said it might stretch as far back as the middle of 2013.
If you have, in the past year, bought anything at a Goodwill store (especially in one of those listed states) and paid with a credit, debit or money card, your account information might be in the hands of identity thieves. Even if you shopped at a store in one of the other states, you might still be at risk – it's too early to tell if the previous list is all-inclusive.
A Goodwill spokeswoman told Krebs that the company “was contacted last Friday afternoon [July 18] by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers. … Goodwill Industries International is working with industry contacts and the federal authorities on the investigation. We will remain appraised of the situation and will work proactively with any individual local Goodwill involved taking appropriate actions if a data compromise is uncovered.”