An internal review at Goodwill Industries has concluded that hackers accessed customer payments data through a vendor-related weak spot.
The nonprofit retailer in July announced a possible breach and that it was investigating the matter. On Tuesday, it said a breach had occurred and affected about 10%, or roughly 330, of its thrift stores nationwide.
The incident involved a malware attack on one of its outside vendors between February 2013 and August 2014, Goodwill said in a press release. It allowed hackers to access customers' payment card information.
The attack affected stores in 19 states and the District of Columbia. No additional information was provided about the third-party vendor.
"We took immediate steps to address this issue, and we are providing extensive support to the affected Goodwill members in their efforts to prevent this type of incident from occurring in the future," Jim Gibbons, president and chief executive of Goodwill Industries International in Rockville, Md., said in the release.
Goodwill's investigation found no evidence of a malware attack on its internal systems, the release said.
Word of the findings coincided with an announcement Tuesday that Home Depot has begun investigating a possible data breach at its stores.