Full Report
Like many organizations, Goodwill of Greater Grand Rapids faces the risk of cybersecurity attacks. Recently, we experienced an attack that disrupted a portion of our network environment. This impacted our network resources we use to operate our local stores. We immediately notified law enforcement and are working with external cybersecurity experts to investigate the situation, understand the scope, and restore systems as quickly and safely as possible. Our investigation is ongoing, and we do not yet have a confirmed timeline for full resolution. While Goodwill of Greater Grand Rapids systems do not store credit card data, we have been operating on a cash-only basis as we rebuild our point-of-sale program. Our stores continue to be open for business, and we expect to continue cash-only transactions for the next several days. We wish to thank our customers and community partners for their patience and support while we work through this issue. Goodwill organizations are local nonprofits that all operate on separate systems. This incident has no impact on Goodwill stores or organizations in other communities. (via Valéry Rieß-Marchive)
Analysis Summary
# Incident Report: Goodwill of Greater Grand Rapids Network Disruption
## Executive Summary
Goodwill of Greater Grand Rapids experienced a cybersecurity attack that disrupted a portion of its network environment, specifically affecting systems required for retail store operations. While the organization does not store credit card data, the incident forced a transition to cash-only transactions as the Point-of-Sale (POS) infrastructure is being rebuilt. The incident was isolated to the local Grand Rapids territory and did not impact other Goodwill organizations.
## Incident Details
- **Discovery Date:** Late March 2026 (Publicly disclosed March 27, 2026)
- **Incident Date:** March 2026
- **Affected Organization:** Goodwill of Greater Grand Rapids
- **Sector:** Nonprofit / Retail
- **Geography:** Michigan, USA (Kent, Ionia, Montcalm, Mecosta, Isabella, and Ottawa Counties)
## Timeline of Events
### Initial Access
- **Date/Time:** Undisclosed
- **Vector:** Not explicitly disclosed
- **Details:** Attackers successfully breached the organization's network environment, targeting resources used for local store operations.
### Lateral Movement
- **Details:** Limited information; however, the disruption affected "a portion of the network environment," suggesting movement from initial entry points to operational servers and POS systems.
### Data Exfiltration/Impact
- **Impact:** Significant disruption to the Point-of-Sale (POS) program and general network resources.
- **Data:** Organization states they do not store credit card data; investigation into other data types is ongoing.
### Detection & Response
- **Discovery:** Triggered by system disruption impacting store operations.
- **Response actions taken:**
- Notification of law enforcement.
- Engagement of external cybersecurity experts.
- Shift to "cash-only" operations to maintain business continuity.
- Complete rebuilding of the POS program.
## Attack Methodology
*Note: Specific technical TTPs (Tactics, Techniques, and Procedures) were not detailed in the public statement. Based on the "rebuild" and "disruption" language, the methodology is consistent with ransomware or destructive malware.*
- **Initial Access:** Undisclosed.
- **Persistence:** Undisclosed.
- **Privilege Escalation:** Undisclosed.
- **Defense Evasion:** Undisclosed.
- **Credential Access:** Undisclosed.
- **Discovery:** Undisclosed.
- **Lateral Movement:** Undisclosed.
- **Collection:** Undisclosed.
- **Exfiltration:** No evidence of credit card data theft; other exfiltration is under investigation.
- **Impact:** Service disruption and resource impairment (specifically POS systems).
## Impact Assessment
- **Financial:** Lost revenue from customers unable to pay with credit/debit; costs associated with digital forensics and system rebuilding.
- **Data Breach:** Confirmed no credit card data involved; scope of other sensitive data remains under investigation.
- **Operational:** "Cash-only" restrictions for several days; disruption of network resources for 18 retail stores and online shopping.
- **Reputational:** Limited; the organization has maintained transparency and emphasized that the incident is localized to the Grand Rapids chapter.
## Indicators of Compromise
- **Inbound/Outbound IP/URL:** None disclosed in the initial press release.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Sudden loss of POS connectivity and network resource unavailability.
## Response Actions
- **Containment measures:** Isolation of the affected portion of the network environment.
- **Eradication steps:** Not explicitly stated, though a "rebuild" of the POS program suggests a clean-slate recovery.
- **Recovery actions:** Partnering with external experts to restore systems safely; implementing manual cash-only workarounds for store locations.
## Lessons Learned
- **Architecture Matters:** The separation of regional Goodwill organizations (operating on separate systems) successfully prevented the incident from becoming a national crisis.
- **Contingency Planning:** Having a "cash-only" business continuity plan allowed the nonprofit to keep doors open and continue its mission despite a total POS failure.
- **External Support:** Rapid engagement of law enforcement and third-party experts is critical for accurate scoping of a "rebuild" vs. a "restore."
## Recommendations
- **POS Hardening:** Ensure POS systems are segmented from the general administrative network to prevent lateral movement.
- **Offline Backups:** Maintain immutable, offline backups specifically for POS configurations to speed up recovery times during a rebuild.
- **EDR Deployment:** Implement Endpoint Detection and Response (EDR) across all retail workstations to identify malicious behavior before it leads to a network-wide disruption.