Credit card numbers stolen from charity America's Thrift Stores

Break-in by Eastern European cybercriminals garners attention of US Secret Service

A malware-driven break-in and breach at the charity America's Thrift Stores may have compromised all sales transactions at the company between 1 September and 27 September, its CEO has admitted.

A statement from Kenneth Sobaski claimed that the breach "allowed criminals from Eastern Europe unauthorized access to some payment card numbers. This virus/malware is one of several infecting retailers across North America."

He added that the security breach that occurred through software used by a third-party service provider, who has not been named.

Sobaski continued: "The US Secret Service tells us that only card numbers and expiration dates were stolen. They do not believe any customer names, phone numbers, addresses or email addresses were compromised."

America's Thrift Stores began working with the US Secret Service, alongside "independent forensic investigator" Sikich, as soon as it learned of the incident.

These experts analyzed the data breach, conducted a thorough forensic review and worked to both stop the attack and remove the malware. Now, we are collaborating with them to even further improve security against future attacks.

We have identified and removed malware that was the source of the breach– and we continue to take steps to improve security against any future attacks. Shoppers can feel confident using credit or debit cards at any of our store locations.

Affected sales transaction were those occurring between 1 and 27 of September, said Sobaski: "If you used your credit or debit card during this time to purchase an item at any America’s Thrift Store location, the payment card number information on your card may have been compromised."

Back in July, Trend Micro's Anthony Joe Melgarejo said the Angler exploit kit was now targeting Point-of-Sale (PoS) systems. As noted by Brian Krebs, another American charity was breached last year: the compromise of credit card details at Goodwill was ultimately found to have been produced by a vulnerability exploited by PoS malware.

Mark Shelhart, of Sikich's Incident Response and Forensics team, told The Register that the company "won't release details of how the breach occurred," but confirmed that the Angler exploit kit was not involved.

Sikich is not involved in attributing the breach. The company is a Payment Card Industry Forensic Investigator, said Shelhart, which specialises in providing "the payment cards brands with information concerning the cause and the scope of the breach as it related to cardholders."

"As the investigation is still ongoing, there is not yet an estimate in the number of credit cards that may have been affected." ®


Biting the hand that feeds IT © 1998–2017