Last month we reported on a possible data breach at US non-profit organization Goodwill Industries. We can now confirm that it was a data breach, and that more than 800,000 payment card details were compromised.

In a letter sent out to customers on Tuesday, Goodwill’s president and CEO, Jim Gibbons, stated that payment card data was compromised following a malware attack on a third-party vendor used in roughly 10% of stores.

The attack occurred between 10 February 2013 and 14 August 2014 – a significantly long time frame.

The type of data stolen was:

Names

Payment card numbers

Expiration dates

There is no evidence that other information was stolen, such as addresses and PINs.

Somewhere in the region of 868,000 cards were compromised throughout 330 stores. You can view the list of affected locations here.

Goodwill spokesperson Lauren Lawson said, “Our outside forensic expert has confirmed that the malware is known as rawpos.”

Goodwill is no longer using the affected third-party vendor for card processing. This story further demonstrates how cyber criminals can use third-party vendors to access another organization’s data.