Goodwill Names Vendor in BreachC&K Systems Identified as Third Party Hit by Malware
Goodwill Industries International has confirmed that C&K Systems was the third-party vendor compromised in a data breach that impacted about 330 of its stores, resulting in the exposure of details on 868,000 U.S. debit and credit cards (see: Goodwill: 868,000 Cards Compromised).
See Also: Autonomous Response: Threat Report
The vendor, based in Murrells Inlet, S.C., manages and deploys cloud-based retail point-of-sale environments for small- and medium-sized specialty retailers. Some 20 of Goodwill's 165 independent headquarters, known as "members," used the vendor at their 330 stores, says Lauren Lawson-Zilai, a spokeswoman for the not-for-profit charitable organization that sells donated merchandise to fund job programs.
"All 20 previously affected Goodwill members have stopped using C&K Systems to process customers' payment cards," Lawson-Zilai told Information Security Media Group. "There is no longer a threat to individuals shopping at the previously affected Goodwill members' stores."
Earlier this month, Goodwill said the breach stemmed from malware known as RAW.PoS, which was used to compromise a third-party vendor. Information exposed in the breach includes names, payment card numbers and expiration dates (see: Goodwill Confirms Card Data Breach).
News of C&K Systems being the impacted vendor first came from idRADAR, an identity theft protection firm, which obtained a copy of the data breach notice Goodwill sent to the State of North Carolina that identified the third party.
C&K Systems did not respond to a request for additional information.
While details on the attack on C&K Systems are scarce, two security experts say it's possible the compromise was the result of a remote-access attack.
"There is an ever-present possibility that criminals are favoring remote access-type attacks because the log-in credentials needed to access the databases and/or hardware are elements that could easily be obtained through phishing or social engineering," says John Buzzard, product manager for FICO Card Alert Service.
In July, a remote-access attack compromised Vancouver, Wash.-based food-service POS and security systems provider Information Systems & Supplies Inc. (see: POS Vendor: Possible Restaurant Breach). IS&S notified restaurants throughout the northwestern United States of the compromise that may have exposed card data linked to POS transactions.
Remote access has been the typical culprit when a single vendor's terminals have been implicated in a breach, making it a likely means of compromise in the Goodwill incident, says Al Pascual, a financial fraud and banking security analyst for consultancy Javelin Strategy & Research. "Odds are that there was a weak default or admin password in use and the system lacked any other form of authenticating a user accessing the system remotely," he says.
"This is low-hanging fruit for any organization and more needs to be done to educate businesses on these simple-to-remediate threats," Pascual says.