Credit card data theft hit at least three retailers, lasted 18 months

Goodwill Industries was one of three companies affected by an attack on a retail managed service provider that went undetected for over 18 months.

In July, it was revealed that Goodwill Industries had suffered from a credit card data breach that affected the charitable retailer’s stores in at least 21 states. The Goodwill breach seemed by many to be just the latest case of criminals taking advantage of the weak underbelly of retailers—their point-of-sale systems. But now, as it turns out, the Goodwill breach was just part of a much larger attack on an outside managed service provider that affected at least two other companies. And many more may have been affected without their knowledge.

Security reporter Brian Krebs first broke the news on the Goodwill breach in July and traced the breach back to C&K Systems, a reseller of retail software systems from NCR, Retail Pro, and other retail software and systems providers. Goodwill had outsourced much of the operation of its retail systems, including its point-of-sale (POS) systems, to C&K through a managed service contract.

In a statement published on Monday, C&K Systems admitted that they had suffered a breach of point-of-sale systems tied to their “Hosted Managed Services Environment.” The company determined with the assistance of outside forensic investigators that the breach began sometime in early 2013. “The unauthorized access affected our Hosted Management Services Platform intermittently between February 10, 2013 and August 14, 2014.”

Read 11 remaining paragraphs | Comments