The California Office of the Attorney General disclosed in September 2014 that Goodwill Industries International (GII) suffered a data breach due to malware attacks on a third-party vendor’s systems. The incident, which spanned from February 10, 2013, to August 14, 2014, exposed payment card information of customers across twenty Goodwill member stores. Investigations confirmed that the malware was not present on Goodwill’s internal systems, limiting the breach’s origin to the vendor’s compromised infrastructure. While the exact number of affected individuals was not specified, the prolonged exposure period heightened risks of fraudulent transactions and unauthorized card usage. The breach underscored vulnerabilities in third-party security protocols, raising concerns over customer trust and financial liability for GII, though no evidence suggested broader data exfiltration beyond payment details.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-46460
TPRM report: https://www.rankiteo.com/company/goodwill-industries_2
"id": "goo111082125",
"linkid": "goodwill-industries_2",
"type": "Cyber Attack",
"date": "2/2013",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Retail / Thrift Stores',
'location': 'United States (20 member stores affected)',
'name': 'Goodwill Industries International (GII)',
'type': 'Non-profit organization'},
{'name': 'Unnamed Third-Party Vendor',
'type': 'Vendor'}],
'attack_vector': 'Malware (via third-party vendor)',
'data_breach': {'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Payment card information']},
'date_publicly_disclosed': '2014-09-02',
'description': 'The California Office of the Attorney General reported that '
'Goodwill Industries International (GII) experienced a data '
"breach involving malware attacks on a third-party vendor's "
'systems, potentially affecting payment card information of '
'customers from twenty Goodwill member stores. The breach '
'occurred intermittently between February 10, 2013, and August '
"14, 2014, with no evidence of malware found on Goodwill's "
'internal systems.',
'impact': {'data_compromised': ['Payment card information'],
'payment_information_risk': 'High',
'systems_affected': ['Third-party vendor systems']},
'references': [{'date_accessed': '2014-09-02',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'title': 'Goodwill Industries International Data Breach via Third-Party '
'Vendor',
'type': 'Data Breach'}