Goodwill Industries International, a nonprofit agency that operates thrift stores around the country, said on Monday that it was investigating a potential security breach that may have led to the theft of customers’ credit card data.
In a statement, Goodwill said it had been contacted Friday afternoon by federal authorities and a fraud investigation unit about a possible data theft at its American store locations. Goodwill said it was working with the authorities.
“At this point, no breach has been confirmed, but an investigation is underway,” the statement said. “Goodwill Industries International is working with industry contacts and the federal authorities on the investigation.” The agency said it would “work proactively with any individual local Goodwill involved, taking appropriate actions if a data compromise is uncovered.”
The possible theft was first reported by Brian Krebs, a security blogger, who said that several financial institutions were able to tie an unusually high number of fraudulent purchases back to cards that had recently been used to make purchases at Goodwill stores.
Brian Leary, a spokesman for the Secret Service — which has been investigating recent breaches at Target, Neiman Marcus and other retailers — said the agency would not comment on whether it was investigating the possible breach at Goodwill.
Goodwill, which is based in Rockville, Md., has 2,900 stores. The shops collect and sell donated clothing and household goods and use the proceeds for work training, job placement services and other community-based initiatives.
If the breach at Goodwill is confirmed, it will be the sixth major chain — after Target, P.F. Chang’s, Neiman Marcus, Michaels and Sally Beauty Supply — to acknowledge that its systems had been recently compromised. In those cases, criminals installed so-called malware on retailers’ systems, which fed customers’ payment details back to their computer servers.
The same group of criminals in Eastern Europe is believed to be behind the earlier attacks. The group is also believed to be part of a broader attack directed at as many as six other retailers, according to two people investigating the breaches who would speak only on the condition of anonymity.
The entry point for each breach differed, according to one law enforcement official. At Target, it was believed to be a Pennsylvania company that provided heating, air conditioning and refrigeration services to the retailer. Criminals were able to use the company’s log-in credentials to gain access to Target’s systems and, eventually, its point-of-sale systems.
Studies have found that retailers are underprepared for such attacks. A joint study by the Ponemon Institute, an independent security research firm, and DB Networks, a database security firm, found that a majority of computer security experts in the United States believed that their organizations lacked the technology and tools to quickly detect database attacks. Only one-third of those experts said they did the kind of continuous monitoring needed to identify irregular activity in their databases, and an additional 22 percent admitted that they did not scan at all.