Goodwill’s Vendor Explains the 868,000 Credit and Debit Card Leak

goodwill-logoMore than two months after Goodwill started their initial data breach investigation, details surrounding their recent data breach are still coming to light. This lengthy release of information is particularly concerning due to the breach’s 18-month-long duration in which payment card information from 868,000 customers was leaked from 330 stores.

These staggering figures are the result of malware on one of Goodwill’s third-party vendors. While the vendor was initially left unnamed, C&K Systems (a retail point-of-sale technology provider) released a statement September 15 outlining their involvement.

C&K Systems stated that a highly specialized Point of Sale malware variant [(POS) infostealer.rawpos] had remained undetected from their security software systems until September 5, 2014.

Specifically, the vendor’s cloud-computing environment was impacted by the malware. Through the cloud, hackers were able to gain access to payment card information from February 2013 to August 2014. Information not just from Goodwill, but two other organizations was compromised.

Currently, C&K Systems is not specifying the other organizations involved.

What should you do?

First and foremost, if you have fraud protection powered by EZShield, you should store your payment card account information in the EZShield Secure Online Wallet so it can be monitored for fraudulent use. Then, if you receive an alert, contact one of our Resolution Specialists immediately.  You may access your virtual wallet by visiting

In addition to taking this proactive step, all consumers who have shopped at Goodwill over the last 18 months should keep an eye on their bank statements for signs of fraud. Goodwill has also complied a list of impacted states. Take a look to find out whether your information has been leaked as a result of this breach.

The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.

John is General Counsel and Chief Privacy Officer of Sontiq, the parent company of the EZShield and IdentityForce brands. He is a Certified Compliance...
Read more about John Burcham.

Leave a Comment.