Today, ransomware group Interlock added Goodwill Industries of North Central Pennsylvania to its data leak site after allegedly stealing 80 GB of data. This comes after “technical issues” were noted at other stores earlier this month.
In its proof pack, Interlock specifically claims to have targeted Goodwill Industries of North Central Pennsylvania. However, the attack may have spread further afield with a thread on Reddit discussing issues at stores in Greater Grand Rapids where systems appeared to have been taken offline, meaning customers could only pay in cash and couldn’t make any returns.
This was corroborated by various posts on Facebook by Goodwill of Greater Grand Rapids. On March 14, 2026, it said stores were cash only and on March 15, 2026, the outlet was closed for the day. Messages about temporary store hours and cash-only services continued for several days.
In the Reddit post, an employee stated: “I am a goodwill employee and I was told that somebody hacked the system and now it’s all donked up.”
We contacted Goodwill Industries International and received the following response:
“There are more than 150 Goodwill organizations across North America and each Goodwill organization has their own website. I am unaware of any cyber attack on any Goodwill website. If you are interested in gathering information from Grand Rapids specifically, you will need to reach out to Goodwill of Greater Grand Rapids.”
We have also contacted Goodwill of Greater Grand Rapids to confirm Interlock’s claims, whether these are related to its technical issues, and whether or not a ransom was demanded and/or paid. We will update this article if we receive a response.
Who is Interlock?
Interlock first started adding victims to its data leak site on October 2024. Since then, we’ve logged 96 attacks via the group with 46 of these being confirmed by the entity involved.
Also targeted this year was Wagon Mound Public Schools in February 2026. This attack also caused system disruptions with Interlock alleging to have stolen 80 GB of data, too.
Like many other ransomware groups, Interlock tends to follow a double-extortion technique — demanding a ransom to decrypt systems and detail stolen data. This not only doubles its chances of receiving a ransom payment but also means it can sell the data on the dark web if ransom demands aren’t met.
Across all of its confirmed attacks, Interlock has breached nearly 4.7 million records and counting. Its largest breach to date took place in 2025 when it targeted kidney dialysis provider, DaVita. Here, nearly 2.7 million people were impacted.
Ransomware attacks in the USA
So far this year, we’ve noted 41 confirmed attacks in the United States and are monitoring a further 932 unconfirmed attacks.
In recent weeks, a number of attacks have been confirmed on other non-profits like Goodwill. This includes:
- San Francisco Children’s Council – it was targeted by SafePay in August 2025. Notifications are now being issued to 12,655 people following this breach.
- The National Association on Drug Abuse Programs – 90,000 people are confirmed to have been impacted in an attack in January 2026, which was claimed by Genesis.
- Hudson River Housing – it recently started notifying people of a breach from March 2025, which was claimed by Rhysida with a $744,000 ransom.
Attacks such as these highlight how no company is off limits for hackers. Ransomware attacks have the ability to take key systems offline and lead to extensive data breaches, leaving customers and employees at risk of identity theft and fraud.
About Goodwill Industries International
Founded in 1902, Goodwill Industries is a non-profit entity that aims to help individuals, families, and communities by providing work opportunities, skills development, and employee and family strengthening. It operates 3,400 stores in North America, Korea, and 12 other countries.
