POS Service Confirms Goodwill Breach Lasted 18 Months

Third-party payment vendor C&K Systems released details regarding a breach that affected its systems for 18 months and went on to affect customers who shopped at Goodwill.

Third-party payment vendor C&K Systems released further details this week regarding a breach that affected its systems for 18 months and went on to affect customers who shopped at Goodwill, in addition to two unnamed retailers.

The company provided an update on the breach via a press release Monday morning, corroborating earlier reports from Goodwill that malware had infected its systems from Feb. 1, 2013 to Aug. 14, 2014.

The company admits that while it was informed by an independent security analyst at the end of July that its system might have been compromised, it wasn’t until Sept. 5, that it was able to confirm the attack.

The South Carolina-based company claims that after hiring a “cyber investigative team,” it was able to detect a type of point-of-sale malware, infostealer.rawpos, that ultimately siphoned payment card information away from its managed services hosting facility.

Infostealer.rawpos is a Trojan that searches for track one and track two data from credit cards, then forwards that information along to a remote location.

C&K’s Managed Services system is responsible for managing the point of sale environments, workstations, cloud storage and antivirus of its customers, primarily large retail chains. While C&K counts more than 500 companies as clients, it’s not exactly clear, in addition to Goodwill, which other two companies were breached.

In the release, C&K downplays the breach by insisting that fewer than 25 of the payment cards that were stolen over that 18-month period have been used fraudulently so far.

To thwart future attacks, C&K claims it has implemented “cutting-edge technologies” that will identify advanced persistent threats (APTs) going forward and that the company will continue to work closely with law enforcement to “investigate and pursue criminal prosecution.”

It was in mid-July that rumors first began to swirl that Goodwill had been breached.

KrebsonSecurity reported on July 21 that several banks had begun noticing stolen credit and debit card numbers associated with Goowill customers were being circulated yet it wasn’t until Sept. 2 that the company admitted in a letter to customers (.PDF) that it was affected by a “data security issue.”

Concrete numbers were never given by Goodwill, but many reports claim that a six-week investigation uncovered that 10 percent of its stores, 330 total, and approximately 868,000 payment cards were exposed in the breach.

As payment card information was at the root of this breach, customer’s names, payment card numbers and expiration dates are all in danger of being compromised.

Goodwill mentioned the 18-month breach timeframe in the letter but failed to name the vendor and the type of malware, instead claiming a “third-party vendor’s systems” had been implicated.

While C&K acknowledged that the software it uses conforms to PCI-DSS requirements around data encryption, it also made it clear that “there is no 100% fail-safe security solution for hosting Point of Sale environments.”

Point of sale malware has been a scourge on retail over the last year. Companies like Home Depot, Neiman Marcus, Michaels and of course Target have all been targeted and breached to different extents.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.