Despite the retail industry's new fervor over the Backoff malware, it was Rawpos, not Backoff, that is to blame for the breach at Goodwill retail stores, reported in July. Symantec gave Rawpos a risk rating of "very low" when they discovered the infostealer in February. Very low risk or not, Rawpos was used to compromise 330 of Goodwill's independently operated "member" stores in 20 US states, and exposed information on 868,000 credit cards, a Goodwill representative confirms.
Goodwill released details yesterday about the scope and nature of the breach, stating that "The investigation found no evidence of malware on any internal Goodwill systems... The impacted Goodwill members used the same affected third-party vendor to process credit card payments. Twenty Goodwill members (representing about 10 percent of all stores) that use the same affected third-party vendor were impacted."
Goodwill is not releasing the name of the third-party vendor, but Goodwill director of public relations Lauren Lawson confirmed that it is a point-of-sale system provider. It must be a Windows-based POS system; Rawpos impacts Windows 7, Vista, XP, and 2000.
"The malware attack affected the third-party vendor’s systems intermittently between February 10, 2013, and August 14, 2014," yesterday's report states. "Authorities first contacted Goodwill about the breach on July 18, 2014."
Goodwill stated that it has received "a very limited number of reports" of fraudulent use of the card data compromised in the breach.
"We realize a data security compromise is an issue that every retailer and consumer needs to be aware of today, and we are working diligently to prevent this type of unfortunate situation from happening again," Jim Gibbons, president and CEO of Goodwill Industries International said in the statement. "Goodwill’s mission is to provide job training for people with disabilities and disadvantages. We provide this service to millions of people each year. They, our shoppers and our donors, are our first priority."
The retail industry's main priority is still Backoff.
On August 27, in response to the spate of attacks on point-of-sale systems, the PCI Council -- the organization responsible for the creation and enforcement of the Payment Card Industry Data Security Standards -- released an advisory about the Backoff malware. The Council recommended that "merchants consider implementing PCI-approved point-of-interaction (POI) devices that support the secure reading and exchange (SRED) of data which encrypts data at the point of capture and would prevent exposure of clear-text data within the ECR or similar POS systems. Merchants should also consider implementing a PCI-approved point-to-point encryption (P2PE) solution which includes SRED devices and protects the data until received by the secure decryption facility."
PCI-approved devices and vendors can be found at pcisecuritystandards.org.