Ransomware group Interlock has added Goodwill Industries of North Central Pennsylvania to its dark web leak site, claiming 80GB of stolen data following a confirmed attack that caused operational disruptions extending beyond the named victim. Stores in the Greater Grand Rapids, Michigan region were simultaneously forced to operate cash-only, suspended returns, and closed entirely for at least one day in mid-March 2026 — corroborated by official Goodwill of Greater Grand Rapids social media posts and employee statements. Goodwill Industries International, the national umbrella organization, stated it was unaware of any cyberattack, reflecting the federated structure that characterizes the Goodwill network and complicates both incident response and breach scope assessment.
What Happened
Interlock listed Goodwill Industries of North Central Pennsylvania on its data leak site with a proof pack claiming 80GB of exfiltrated data. The listing followed what employees and regional social media accounts described as a systems outage beginning around March 14, 2026 at Goodwill of Greater Grand Rapids locations in Michigan — a separate regional entity from the named Pennsylvania victim.
Goodwill of Greater Grand Rapids posted on Facebook on March 14 that stores were cash-only, on March 15 that stores were closed for the day, and continued posting about temporary hours and cash-only operations for several days thereafter — the operational signature of a ransomware encryption event that has taken point-of-sale and back-office systems offline. An employee on Reddit confirmed the cause: "I was told that somebody hacked the system and now it's all donked up."
Whether the Pennsylvania and Grand Rapids incidents represent a single coordinated attack against shared infrastructure, two separate Interlock campaigns timed in proximity, or lateral spread from a single initial access point remains unconfirmed. Goodwill Industries International's response — effectively disclaiming knowledge and redirecting to individual regional entities — reflects the federated nonprofit model in which each regional Goodwill operates independently, but it also signals a national coordination failure in incident response.
Interlock has been active since October 2024 and has logged 96 attacks tracked by Comparitech, with 46 confirmed by the targeted entities. The group operates double-extortion: encrypt systems, exfiltrate data, then threaten public release to maximize ransom pressure.
What Was Taken
Interlock claims 80GB of exfiltrated data from Goodwill Industries of North Central Pennsylvania. The specific file types and data categories within the proof pack have not been fully detailed publicly. Given Goodwill's operational profile as a nonprofit retail and workforce development organization, the exposed dataset likely includes:
- Employee and HR records — personnel files, payroll data, Social Security numbers, tax documents for staff across store locations
- Donor records — names, contact information, and donation histories for individual and corporate donors
- Customer and loyalty program data — account details for any registered shoppers or loyalty participants
- Financial records — accounts payable/receivable, banking relationships, grant documentation, and nonprofit financial filings
- Vendor and partner contracts — agreements with suppliers, logistics partners, and service providers
- Workforce development program records — Goodwill's core mission involves job training and placement for disadvantaged individuals; these program records contain sensitive personal and employment history data for vulnerable populations
The 80GB volume is consistent with a full file server or document management system exfiltration rather than targeted cherry-picking, suggesting broad filesystem access during the dwell period.
Why It Matters
Nonprofits are systematically underdefended against ransomware. Goodwill's federated model — 150+ independent regional organizations sharing a brand but operating separate IT infrastructure — creates a fragmented security posture that sophisticated ransomware groups actively exploit. There is no central security operations capability, no unified incident response function, and no shared visibility across the network. An attacker who finds one regional Goodwill's systems accessible faces a target with limited detection capability, minimal security staffing, and constrained remediation budget.
The operational disruption profile matters here. Cash-only operations, suspended returns, and temporary closures are not just inconveniences — they represent direct revenue loss and mission disruption for an organization that funds job training and social services through retail operations. For Interlock, hitting a recognized charitable brand generates media coverage and creates reputational pressure that supplements the technical pressure of encryption, potentially accelerating ransom payment decisions.
The parallel disruptions across Pennsylvania and Michigan also raise a supply chain question that remains unanswered: if both regional entities were affected in the same attack window, they may share a common IT vendor, donation management platform, or POS system provider whose compromise served as the initial access point for both. This is a pattern Interlock and similar groups have exploited against other multi-location nonprofit and retail chains.
Interlock's 96-victim track record in under 18 months places it firmly in the operational tier of ransomware groups — not a flash-in-the-pan crew but a sustained operation with demonstrated capability against organizations ranging from public schools to regional nonprofits to, now, a nationally recognized charitable brand.
The Attack Technique
The initial access vector has not been disclosed. Goodwill's retail and nonprofit operational profile presents several high-probability entry points consistent with Interlock's documented TTPs:
- Phishing against regional administrative staff — Goodwill regional operations employ large numbers of administrative and store management staff with varying security awareness; credential phishing against these users is a low-effort, high-yield initial access method
- Point-of-sale or retail management system vulnerabilities — retail POS infrastructure is frequently under-patched and may be internet-accessible for remote management; these systems are a documented ransomware entry vector in retail sector attacks
- Shared IT vendor or managed service provider compromise — the simultaneous apparent impact across multiple regional Goodwill entities suggests either a shared infrastructure component or a common MSP whose access credentials were compromised
- VPN and remote access exploitation — Goodwill regional operations use remote access for administrative functions; unpatched or credential-stuffed VPN endpoints are Interlock's documented preferred initial access method based on prior victim profiles
- Exposed donation management or CRM platforms — cloud-based donor management systems used across regional Goodwills may have externally accessible administrative interfaces vulnerable to credential attacks
The cash-only operational mode suggests encryption reached POS terminals and back-office systems — indicating either flat network architecture enabling lateral movement from an initial foothold, or direct compromise of centralized infrastructure serving multiple store locations.
What Organizations Should Do
- Federated organizations must establish minimum security baselines across all member entities — the Goodwill model — brand shared, security fragmented — is a liability; umbrella organizations should require affiliated entities to meet baseline security standards including MFA on all remote access, endpoint detection, and incident response plan documentation as conditions of brand affiliation
- Map and audit shared infrastructure across regional entities — if multiple Goodwill regions share a POS vendor, donor management platform, or IT services provider, that shared component is a single point of failure for the entire network; inventory all shared vendor relationships and assess each one's security posture
- Implement offline backup and manual operations procedures for POS systems — the cash-only disruption was predictable and preventable; retail and nonprofit organizations should maintain documented manual operating procedures and regularly test them so that a ransomware event does not result in complete operational paralysis
- Segment POS networks from administrative and file server infrastructure — retail POS systems should operate on isolated network segments that cannot reach HR, financial, and document management systems; flat networks that allow lateral movement from a compromised register to a file server are an architectural failure
- Treat donor and workforce program participant data as sensitive PII requiring dedicated protection — Goodwill's workforce development programs serve vulnerable populations whose employment and personal history data carries heightened sensitivity; these records should be stored in systems with stricter access controls, audit logging, and encryption at rest than general operational data
- Register with your sector ISAC and establish an IR retainer before an incident — nonprofit sector organizations rarely have incident response retainers in place; the cost of establishing a relationship with a firm like CrowdStrike, Mandiant, or a regional equivalent before an incident is a fraction of the cost of emergency response engagement after encryption; federated networks should consider a shared IR retainer negotiated at the umbrella level