ROCKVILLE, MD — Goodwill Industries International (GII) today provided an update on behalf of its members regarding the potential data security issue it previously announced in July. Following GII’s announcement, GII and the potentially affected Goodwill members engaged a third-party forensic expert to conduct an extensive investigation. GII and its members have also been working closely with federal law enforcement authorities and coordinating with the payment card brands to determine the facts.
The forensic investigation has confirmed that a third-party vendor’s systems were attacked by malware, enabling criminals to access some payment card data of a number of the vendor’s customers. The impacted Goodwill members used the same affected third-party vendor to process credit card payments. Each of the impacted Goodwill members took immediate action to ensure that the malware found on the third-party vendor’s systems no longer presents a threat to individuals shopping at the affected Goodwill members’ stores.
Based on the investigation, GII and its members have determined the following:
- Twenty Goodwill members (representing about 10 percent of all stores) that use the same affected third-party vendor were impacted.
- The investigation found no evidence of malware on any internal Goodwill systems.
- The third-party vendor’s affected systems contained payment card information, such as names, payment card numbers, and expiration dates of certain Goodwill members’ customers. There is no evidence that other customer personal information, such as addresses or PINs, was affected by this issue.
- The malware attack affected the third-party vendor’s systems intermittently between February 10, 2013, and August 14, 2014. Some stores experienced shorter periods of impact. A list of the Goodwill members’ store locations that used the affected vendor during the relevant time period is available on GII’s website at
- Goodwill members have received a very limited number of reports from the payment card brands of fraudulent use of payment cards connected to Goodwill members’ stores.
“We continue to take this matter very seriously. We took immediate steps to address this issue, and we are providing extensive support to the affected Goodwill members in their efforts to prevent this type of incident from occurring in the future,” said Jim Gibbons, president and CEO of Goodwill Industries International. “We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again. Goodwill’s mission is to provide job training for people with disabilities and disadvantages. We provide this service to millions of people each year. They, our shoppers and our donors, are our first priority.”
Additional information related to this issue and steps that affected Goodwill members’ customers can take to help protect their information is available on the GII website at http://www.goodwill.org/payment-card-notice
About Goodwill Industries International
Goodwill Industries International is a network of 165 community-based agencies in the United States and Canada with a presence in 14 other countries. Goodwill agencies are innovative and sustainable social enterprises that fund job training programs, employment placement services and other community-based programs by selling donated clothing and household items in their stores and online at shopgoodwill.com®. Goodwill also builds revenue and creates jobs by contracting with businesses and government agencies to provide a wide range of commercial services, including packaging and assembly, food service preparation, and document imaging and shredding. In 2013, more than 9.8 million people in the United States and Canada benefited from Goodwill’s career services.
Director, Public Relations
Goodwill Industries International
Phone: (240) 333-5266