C&K Systems, the payment technology vendor that Goodwill Industries identified as the source of a data breach that affected around 330 of the company's stores, confirmed that the breach affected two more companies.
C&K Systems specializes in managing and deploying cloud-based retail point-of-sale systems for small and medium specialty retail companies.
The company confirmed the attack on its hosted managed services environment, which lasted for 18 months. However, the identities of the two other affected clients were not revealed.
C&K Systems said in a statement that it received a notification from an independent security analyst last July 30 that the company's hosted managed services environment could have been compromised. The information prompted the company to conduct an investigation into the matter, aided by law enforcement authorities and an independent online investigation team.
The investigation resulted in the confirmation that the company's systems were infected with a point-of-sale malware that is named infostealer.rawpos, which was only detected by the security software systems on Sept. 5.
The malware, reported by Goodwill, caused the exposure of the details of 868,000 U.S.-issued credit cards and debit cards. Such kinds of malware are created to steal the encoded data that is found in the magnetic stripes located at the back of the credit cards and debit cards. The stolen data can then be used to make counterfeit versions of the cards.
C&K Systems reported that the company's cloud environment was attacked with unauthorized access from Feb. 10 of last year to Aug. 14 of this year.
"While many payment cards may have been compromised, the number of these cards of which we are informed have been used fraudulently is currently less than 25," reported C&K Systems.
C&K Systems also said that it has informed its other customers that are using the same affected services regarding the incident, with the company already having taken steps to remove the malware while processing payments outside of the affected systems while the investigation is ongoing.
Multiple banks reported signs of apparent data breaches on Goodwill in July, which the company later confirmed but blamed the attack on a third-party vendor, which is C&K Systems.
However, even with the statement released by C&K Systems, the company has failed to release the specific details of the data breach; including how exactly the company's systems were compromised. These details will aid other companies to prevent such breaches in the future.
It is also not determined whether the two other companies affected by the breach on C&K Systems will be identified.