As long as we're talking data breaches, let's not forget Goodwill.
First - a sidenote. This summer's breach count is pretty remarkable. But it's not just the number. If we were to hear that 10, or 100, or 1,000 breaches had occurred since last spring, that would be something - but the importance of these breaches goes further: these are big-name, well-known entities we're talking about. These are businesses that many of us know, like and buy from on a regular basis.
These are organizations that, one would think, have the ability to implement sophisticated, preemptive lines of defense. To see them falling like dominoes just highlights the gap between how we actually handle security, and how we need to be handling it.
Ready for the news?
From Krebs, we get the incident:
On July 21, 2014, this site broke the news that multiple banks were reporting indications that Goodwill Industries had suffered an apparent breach that led to the theft of customer credit and debit card data. Goodwill later confirmed that the breach impacted a portion of its stores, but blamed the incident on an unnamed "third-party vendor" ...continue reading
From Law360.com, we learn the in-road:
Goodwill Industries International Inc. on Wednesday identified retail point-of-sale services provider C&K Systems Inc. as the third-party vendor that hackers attacked to access data on more than 800,000 payment cards used for purchases at hundreds of Goodwill locations ...continue reading
From CryptZone, we get some perspective:
In the US, this almost seems to have become an epidemic. Back in January, the FBI followed up on the Target hack by circulating a three-page report among the nation's retailers: "We believe POS malware crime will continue to grow over the near term, despite law enforcement and security firms' actions to mitigate it," it warned, according to Reuters ...continue reading
For an analysis on how to prevent data breaches rooted in third-party vendor access, check out yesterday's post on the Jimmy John's hack that just hit the news.