Goodwill Confirms Theft of Payment-Card Data
Credit: Goodwill Industries
Thieves have stolen data from credit and debit cards used at dozens of Goodwill store locations, the parent company of the Goodwill organization confirmed yesterday (September 2). Other companies that used the same payment processor, which was not named by Goodwill, may also be affected.
News that Goodwill might have had cards stolen first appeared this past July, and the incident seems to have nothing to do with the possible card-data breach at Home Depot stores in the United States disclosed yesterday. Nevertheless, if you believe your credit or debit card may be affected, here's what you should do.
In a statement, Goodwill Industries International president Joseph R. Mendez said criminals gained access to credit- and debit-cards used at Goodwill locations, operated by 20 different Goodwill independent regional affiliates, by placing malware in the computer systems of the third-party payment processor those affiliates used.
Each Goodwill store worldwide is operated by one of 165 regional affiliates which do not share all operations. For example, in California, only Goodwill of Sacramento Valley & Northern Nevada was affected by the card theft, and only 23 of that affiliate's 28 locations were hit.
Payment processors are companies that work behind the scenes handling electronic financial transactions for retail stores, and have often been targets for cybercriminals seeking payment-card data. Most payment processors will have multiple companies as customers.
Other companies that used the same payment processor as the affected Goodwill stores may also be affected. Mendez said none of the affected retail locations still used that payment processor, and that there was no trace of malware on Goodwill's own systems.
Mendez said that an independent security firm hired by Goodwill Industries determined the malware had been present in the payment processor's systems for 18 months, from Feb. 10, 2013 to Aug. 14, 2014. It affected Goodwill stores for almost all of that time, from June 25, 2013 to Aug. 14, 2014.
If you've shopped at a Goodwill store since June 2013, check this list of affected stores on the company's website.
Goodwill affiliate organizations have received "a very limited number of reports" that cards connected to their stores had been fraudulently used, said a Goodwill Industries statement.
If this is all starting to sound like your financial information may be included in the stolen data, there are a few steps you can take right now to minimize the risk.
First, contact each of the three major credit-reporting agencies, Experian, Equifax and TransUnion, and ask them to put a credit alert on your file. This is free for up to 90 days, after which you can put another credit alert on your account. While the alert is active, you will be notified if anyone requests your credit report, or opens or attempts to open an account in your name.
Second, request a free credit report from one of the three agencies. (By law, each has to give you one free report per year, if requested.) In two to four months' time, request another credit report from a different company. If you don't see any malicious activity after four months, you're probably okay.
Third, keep an eye on your own credit- and debit-card accounts for signs of suspicious activity. Check the balances every few days for the next couple of months. Some card issuers let you do so online, but it's probably safer to call the customer-service number on the back of the card and use the automated voice-controlled system.
- 12 Computer-Security Mistakes You're Probably Making
- 'Don't Take Nude Selfies' Is Not Good Security Advice (Op-Ed)
- 10 Worst Data Breaches of All Time
Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.