Goodwill Vendor Describes Breach18-Month Malware Attack Affected 3 Clients
C&K Systems, the vendor identified by Goodwill Industries International as the source of a breach that impacted about 330 of its stores, has confirmed details of the breach of its "hosted managed services environment" that lasted 18 months and affected three of its customers.
In a statement on its website, C&K Systems did not identify the other two clients affected by the breach.
The vendor, based in Murrells Inlet, S.C., manages and deploys cloud-based retail point-of-sale environments for small- and medium-sized specialty retailers.
C&K Systems says it was notified on July 30 by an independent security analyst that its hosted managed services environment may have experienced unauthorized access. Following an investigation with law enforcement and an independent cyber investigative team, the vendor determined that its system was compromised by point-of-sale malware known as infostealer.rawpos "that was undetectable by our security software systems until September 5, 2014."
Goodwill confirmed to Information Security Media Group earlier this month the malware that compromised C&K Systems led to the exposure of details on 868,000 U.S. debit and credit cards (see: Goodwill Names Vendor in Breach).
C&K Systems says its cloud environment was impacted intermittently by unauthorized access from Feb. 10, 2013, to Aug. 14, 2014. "While many payment cards may have been compromised, the number of these cards of which we are informed have been used fraudulently is currently less than 25," the company reports.
C&K Systems says it notified its other hosted managed services customers about the incident and took steps "to eliminate the threat and process payment cards outside of the systems while the investigation continued."
In its statement, C&K Systems says it hosts software for its customers from a "leading POS company" that meets current PCI-DSS requirements for encrypting data in transit and data at rest. C&K Systems says its software vendor is rolling out a point-to-point encryption solution with tokenization that it anticipates receiving in October.
"Our experience with the state of today's threats will help all current and future customers develop tighter security measures to help reduce threat exposure and to make them more cognizant of the APTs [advanced persistent threats] that exist today and the impact of the potential threat to their businesses," the company says.
C&K Systems did not immediately respond to a request for additional information.