The investigation revealed that malware known as 'Infostealer.Rawpos' was used in the attack.
The investigation revealed that malware known as 'Infostealer.Rawpos' was used in the attack.

In a letter to customers dated Tuesday, Jim Gibbons, president and CEO of Goodwill Industries International (GII), announced that payment card data was accessed following a malware attack on a third-party vendor used in about 10 percent of stores.

The malware attack on the vendor's systems occurred sporadically from Feb. 10, 2013, to Aug. 14, 2014, Gibbons wrote, adding that the card data includes names, payment card numbers and expiration dates. He said that there is no evidence of other information, including addresses and PINs, being compromised.

Roughly 868,000 payment cards were compromised and 330 stores in 19 states were impacted, Lauren Lawson, a Goodwill spokesperson, told SCMagazine.com in a Thursday email correspondence. A full list of impacted Goodwill locations and periods of exposure can be found here.

“Our outside forensic expert has confirmed that the malware is known as rawpos, according to the Symantec reference,” Lawson said. “This data compromise incident is not related to the ['Backoff'] malware.”

Lawson confirmed in a follow-up email that she was referring to the malware in this Symantec post, which states that 'Infostealer.Rawpos,' a trojan discovered in February of this year, is designed to steal confidential information from compromised computers.

Goodwill has stopped using the affected third-party vendor for payment card processing and has found no evidence of infections on any of its internal systems, Gibbons wrote, adding card brands have reported “very limited” fraudulent use of cards tied to Goodwill locations.

“Because this incident did not affect social security numbers, Goodwill is not offering credit monitoring services at this time,” Lawson said.

Actions are being taken to ensure a similar incident does not occur again, which include launching an enterprise wide Member Security Taskforce and establishing working agreements with security organizations to ensure best security practices are used, Lawson said.

“[GII] is working with the 158 independent, community-based Goodwill members across the country to launch an effort to harden their infrastructure,” Lawson said. “GII has intensified its educational efforts to include seminars and peer to peer learning opportunities about data security/PCI.”

The incident underscores how hackers can use third-party vendors as a “roundabout” way to access an organization's corporate network, Nir Polak, CEO and co-founder of Exabeam, told SCMagazine.com in a Thursday email correspondence.

“Rather than attempt to control all the various entry points a hacker can use to access a network, businesses can stay one step ahead of the game by more quickly identifying suspicious user behavior on the IT network – especially when it's coming from a third-party vendor,” Polak said.