While investigators are still working to determine the extent of a possible breach, it’s believed that Goodwill stores in as many as 21 states may have been hacked for the credit card data of consumers who’ve shopped at the thrift stores. Some signs have led investigators to believe these cybercrimes may have begun as early as May of 2012.
While Goodwill Industries International has not commented on whether the news that first broke in early July is even true, a statement on the charity’s website does confirm that they were contacted by federal investigators about the possibility that they had been hacked and that customers’ credit card information had been accessed.
“Goodwill Industries International was contacted…by a payment card industry fraud investigative unit and federal authorities informing us that select U.S. store locations may have been the victims of possible theft of payment card numbers. Investigators are currently reviewing available information. At this point, no breach has been confirmed but an investigation is underway.”
Goodwill is practically synonymous with the thrift stores that sell gently used items that have been donated by the public in order to fund its charitable work. The focus of this charity is “to enhance the dignity and quality of life of individuals and families by helping people reach their full potential through education, skills training and the power of work.”
So what would make someone stoop so low as to attack a charity whose purpose is to restore a sense of pride in people who are in need, mostly by providing them with training and skills to find better jobs? The sad truth is that the thieves do not care if the mission of the company they target is to make profits, or to make the world a better place, they only care that the company has valuable data worth stealing.
Charities, churches, and small to mid-size businesses are often a favorite target of thieves, whether it’s through cyber events or plain old-fashioned robberies? Why? Simply because these smaller organizations lack the means to install monitoring and recording systems.
In the case of cybercrimes, smaller companies and non-profits typically do not have the same high-level resources of a major financial institution. In the Goodwill case, for example, the lack of a centralized payment processing center — meaning different stores processed their own credit cards — may have also contributed since there was no single server to alert the company’s team members to a problem.
The report from the federal investigators has not come back with definitive proof of a breach. Rather than wait until final findings are released, consumers should take extra care with their data, especially if they’ve used their credit cards at a Goodwill store in the past year. By checking their credit card statements for fraudulent activity and monitoring their credit information—which all consumers should be doing on a regular basis with each of the three credit reporting agencies—they will be better able to stop financial fraud on their accounts as soon as it occurs.
One of the most important aspects of this breach is that it shows just how financially devastating a data breach can be to an organization. Most charities run on very lean budgets and therefore, if they are hit with fines from failing to protect the personal information of either its beneficiaries or its customers, it could mean disaster for the organization.
It is also important for both non-profit and for-profit companies to protect the personal information of the people they serve. State agencies have shown their adherence to this principle with the recent fining of a Women & Infants hospital in Massachusetts that failed to protect patients’ personal health information.
What can we learn from the Goodwill breach?
The takeaway is that no organization or company is immune to data breaches. Every effort needs to be made to protect personal information. This may mean that companies should collect less personal details, if possible, or implement better “checks and balances” into their budget.
It is becoming well-known that becoming a data breach victim these days is no longer a question of if, but when. Apparently, that includes all of us, no matter how much good we do in the world.