In what could shape up to be yet another alarming data breach headline, it looks like Goodwill Industries could be the latest victim of a high-profile data breach. Earlier this month, Krebs on Security reported that “financial institutions across the country report that they are tracking what appears to be a series of credit card breaches involving Goodwill locations nationwide.” And while little new information has come out since then, the breaches are now under investigation by federal authorities. Krebs on Security wrote:
It remains unclear how many Goodwill locations may have been impacted, but sources say they have traced a pattern of fraud on cards that were all previously used at Goodwill stores across at least 21 states, including Arkansas, California, Colorado, Florida, Georgia, Iowa, Illinois, Louisiana, Maryland, Minnesota, Mississippi, Missouri, New Jersey, Ohio, Oklahoma, Pennsylvania, South Carolina, Texas, Virginia, Washington and Wisconsin.
Those sources, Krebs on Security reported, also say that “the breach could extend back to the middle of 2013.” If the “pattern of fraud” that has already been identified indeed turns out to have originated in a Goodwill Industries data breach, Goodwill will be the latest in a long string of headline-grabbing data breaches—and the latest in a long series of object lessons for every retailer and commercial organization that handles sensitive customer financial information such as credit card numbers. And the impact of a breach on Goodwill’s sales could harm more than just the organization’s financial health, since Goodwill Industries uses the proceeds of its sales to fund charitable initiatives in over a dozen countries. Could the breach have been prevented? Until more information emerges, it’s impossible to say. But we can already learn a couple of lessons from the developing story:
1. Anyone Can be a Target
A number of other organizations have suffered large-scale data breaches in recent years. Target is one of the more recent and more memorable, thanks to the extreme fallout that has resulted from its data breach, but Neiman Marcus, P.F. Chang’s, arts and crafts supply chain Michaels, and beauty supply retailer Sally Beauty have also been compromised, as Krebs on Security pointed out. At first glance, a charitable organization like Goodwill, known primarily for its secondhand stores, may not seem to have much in common with upscale department stores or midmarket retail chains. But though Goodwill’s prices are low, its stores do still handle customer credit cards, and that alone is enough to make the organization a target. Don’t assume your organization won’t be attacked simply because it’s smaller or less well-known than the big names whose data breach disasters dominate the headlines. Anyone can be a victim, and a smaller business may be less equipped to handle the consequences of a data breach than a large one.
2. Prevention is Critical
Now that we’ve established that anyone can be a target, we know that even smaller or lesser-known organizations must invest in protection against data breaches. Internal infrastructure that’s used to handle or store sensitive data must be locked down, of course, as well as any cloud-based applications or services used for day-to-day operations like CRM and sales processing. And cloud data protection may matter even more to SMEs than to large organizations, since the chances are higher that a small or midsized business will need to outsource to the cloud rather than build out and maintain their own in-house infrastructure. When it comes to the cloud, we believe that the best protection against data breaches is cloud encryption that starts at the corporate perimeter and leaves access to, and control of, encryption keys in the organization’s own hands. That’s because “anyone can be a target” applies to cloud providers as well. You may not be able to prevent a data breach at your CSP. What you can do is ensure that even if such a breach happens, your organization’s data remains unreadable and unusable to the hackers. An ounce of prevention is worth a pound of cure, especially when it comes to data breaches like the one that happened to Target and the one that may have happened to Goodwill. Is your business safe? Tell us whether you’re confident in your cloud data protection in the comments.