{
"$type": "site.standard.document",
"bskyPostRef": {
"cid": "bafyreif7mhc5bahghcu47b6ectkzs23g7wndvpzsxfkkkztvdv3oo3kovy",
"uri": "at://did:plc:3mf3ql5qtnfwownblde4355r/app.bsky.feed.post/3mi2dibmapqk2"
},
"coverImage": {
"$type": "blob",
"ref": {
"$link": "bafkreiavdffi4m2tx4lplvcunstujyorawwsswmezwptvo6jyjfgkfpydu"
},
"mimeType": "image/webp",
"size": 23848
},
"description": "The nonprofit said stores remain open, but point-of-sale disruptions have forced cash-only purchases as an Interlock post appeared to identify the West Michigan affiliate.",
"path": "/goodwill-cyber-incident-michigan/",
"publishedAt": "2026-03-27T14:31:13.000Z",
"site": "https://dysruptionhub.com",
"tags": [
"said",
"statement",
"WOOD-TV",
"WWMT",
"Facebook post",
"Duffy’s Sports Grill"
],
"textContent": "****Editor’s note:**** This story was updated after further review of materials in an Interlock leak-site post indicated they appeared to belong to Goodwill of Greater Grand Rapids. An earlier version treated a ransomware.live listing naming a Pennsylvania affiliate at face value. The story now reflects that the listing appears to have been incorrect.\n\nGoodwill of Greater Grand Rapids, a regional nonprofit that operates 18 stores across six counties in western Michigan, said Friday that a cyber incident disrupted part of its network and left locations in and around the Grand Rapids area operating on a cash-only basis. The disclosure came a day after ransomware tracking site ransomware.live indexed an Interlock claim labeled as involving Goodwill Industries of North Central Pennsylvania, though DysruptionHub’s review of the post indicated the material appeared to match Goodwill of Greater Grand Rapids.\n\nGoodwill said the attack affected network resources used to run stores in Kent, Ionia, Montcalm, Mecosta and Isabella counties, along with part of Ottawa County. It said it notified law enforcement and brought in outside cybersecurity experts to investigate the scope of the incident and restore systems.\n\nGoodwill of Greater Grand Rapids’ March 27, 2026, statement says a cyber incident disrupted part of its network and left stores operating on a cash-only basis.\n\nGoodwill has not publicly identified who was responsible, confirmed ransomware or said whether any personal information was accessed or stolen. DysruptionHub did not receive a response to an emailed request for comment.\n\nA redacted Michigan Sales and Use Tax Certificate of Exemption shown in the Interlock leak post lists Goodwill Industries of Greater Grand Rapids and a Grandville, Michigan, address, a strong indicator the victim was the West Michigan affiliate.\n\nThe clearest public impact so far is at checkout. Goodwill said its systems do not store credit card data, but stores have been operating on a cash-only basis as it rebuilds its point-of-sale program. The organization said stores are expected to remain cash-only for the next several days, with no confirmed timeline for full resolution.\n\nReporting by WOOD-TV and WWMT suggested the disruption affected operations before Friday’s formal disclosure. Goodwill’s Facebook page showed cash-only notices dated March 14 and March 15, and WOOD-TV reported the nonprofit also paused returns and temporarily closed its outlet store for a day during the technical problems.\n\nA March 14 Facebook post from Goodwill of Greater Grand Rapids tells customers its stores were operating cash-only that day.\n\nGoodwill described the event as an “attack” and a “cyber incident,” but did not publicly characterize it as ransomware or say whether any data was accessed or stolen. Some local coverage used the term ransomware, but that has not been confirmed by the nonprofit.\n\nGoodwill of Greater Grand Rapids is a regional nonprofit retailer and workforce-services provider serving six counties in western Michigan. The organization said affiliates in other communities were not affected because local Goodwill nonprofits operate on separate systems. It also runs an online shopping site and, according to a 2024 company release, employs more than 800 people.\n\n****Chip in once****\nIf this reporting helped you, a one-time tip helps cover hosting, tools and future investigations.\n\nTip us\n\n****Support us monthly****\nA small monthly pledge keeps independent coverage and our reader tools online for everyone.\n\nBecome a Supporter\n\nA recent outage at Florida-based Duffy’s Sports Grill also showed how cyber incidents can spill into routine customer transactions. The company faced card payment and rewards disruptions this week while it had not publicly confirmed ransomware.\n\nThe incident also comes against the backdrop of earlier Goodwill-linked payment security problems. In 2014, Goodwill Industries said malware at a third-party payment vendor exposed card data tied to about 10% of Goodwill stores nationwide. There is no evidence that incident is related to the current outage.\n\nWhat comes next depends on the forensic investigation, the restoration of checkout systems and whether Goodwill determines any personal information was affected. For now, stores remain open, but purchases require cash.\n\n****Attribution note:**** DysruptionHub credits upstream reporting and primary sources—see citations above. If this report informed your coverage, please cite DysruptionHub with a link.",
"title": "Goodwill of Greater Grand Rapids tied to Interlock ransomware claim in Michigan",
"updatedAt": "2026-03-27T16:22:26.912Z"
}