Third-party working with regional thrift chain suffers data breach
The regional charity thrift store chain America's Thrift Stores (ATS) announced recently that it was the victim of a data breach.
According to a statement from ATS Chief Executive Officer Kenneth Sobaski, the breach was contained to just one month, from Sept. 1 through Sept. 27 of this year, and leaked both card numbers and expiration dates.
"This breach allowed criminals from Eastern Europe unauthorized access to some payment card numbers," said Sobaski. "This virus/malware, is one of several infecting retailers across North America."
The "one of several" portion of Sobaski's statement is a reference to the fact that the breach may not be contained to, or is the fault of, ATS. The targeted software belonged to a third-party service provider, which accepts payments on behalf of ATS. Both the third-party and any of its other affiliates were not disclosed in the announcement.
ATS owns and operates 18 stores in Alabama, Georgia, Louisiana, Mississippi and Tennessee. The company is a for-profit charity which donates a potion of its profits to Christian ministries. Though dates were ascertained in the initial investigation, it is currently unclear how many of ATS' locations, or other companies working with the breached third-party, were compromised.
The company is currently working with the Secret Service to investigate the breach further. They also retained the services of an independent forensic investigations company to repair its systems and further improve its security against future attacks.
Though it is currently unclear how many cards were affected, Krebs on Security reports that sources within the banking industry are already seeing fraud patterns on cards used at ATS.
Companies that have yet to develop their own disaster recovery strategy can partner with a business continuity consultant that has extensive experience with these issues.