The payment processor at the center of the data breach affecting Goodwill Industries International admitted that hackers held a foothold in their environment for more than year.
In a statement, C&K Systems said it was informed by an independent security analyst July 30 that its hosted managed services environment may have been compromised. The following business day, C&K hired a team to research and analyze the problem and contacted law enforcement. The investigation uncovered that attackers had successfully penetrated the company’s hosted managed services environment intermittently between Feb. 10, 2013, and Aug. 14, 2014. The investigation also revealed that the company was compromised by infosteaerl.rawpos, point-of-sale malware its systems were unable to detect until Sept. 5.
“This unauthorized access currently is known to have affected only three (3) customers of C&K, including Goodwill Industries International,” according to the company’ statement. “While many payment cards may have been compromised, the number of these cards of which we are informed have been used fraudulently is currently less than 25.”
All the affected customers were notified and steps were taken to process payment cards outside of the systems while the investigation continued, the company explained.
Goodwill became aware of the breach after it was notified by federal authorities and a payment card industry fraud investigative unit. Their investigation turned up no evidence of malware on any internal Goodwill systems. Twenty Goodwill members – representing about 10 percent of its stores – were impacted by the breach.
“We took immediate steps to address this issue, and we are providing extensive support to the affected Goodwill members in their efforts to prevent this type of incident from occurring in the future,” said Jim Gibbons, president and CEO of Goodwill Industries International, in a statement. “We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again.”
“This incident demonstrates the need for two things,” said Rob Cotton, CEO at NCC Group. “The first is supplier assurance, as your organization is only as secure as the weakest supplier who has access to your environment. The second is a solid incident response strategy for when the worst happens.”
Organizations should work on the basis that both they, and their suppliers, will be compromised at some point, he added.
C&K Systems said it has put in place “cyber security controls that will detect any further unauthorized access along with cutting-edge technologies to identify potential zero-day advanced persistent threats (APT)” throughout its infrastructure.
“Our software vendor is in the process of rolling out a full P2PE solution with tokenization that we anticipate receiving in October 2014,” according to the company. “Our experience with the state of today’s threats will help all current and future customers develop tighter security measures to help reduce threat exposure and to make them more cognizant of the APTs that exist today and the impact of the potential threat to their businesses.”