Dairy Queen Confirms Card Breach395 Locations Affected by Backoff Malware
Dairy Queen has confirmed that Backoff point-of-sale malware was used in a payment card breach that affected 395 of its 4,500 franchised U.S. locations.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The ice cream and fast food chain says more than half a million cards may have been compromised.
"I cannot identify a specific number of cards that may have been impacted by this issue because we do not have visibility into the detailed card-transaction data at all affected stores," Dairy Queen spokesman Dean Peters tells Information Security Media Group. "However, we do believe that the number of unique cards affected were less than 600,000."
Back in August, the Secret Service estimated that systems at more than 1,000 U.S. businesses had been infected by Backoff, which is point-of-sale malware that has been linked to numerous remote-access attacks (see: 1,000 Businesses Hit By POS Malware).
Dairy Queen in late August said it was notified by federal authorities that some of its stores' POS systems may have been infected with Backoff (see: Dairy Queen: Another 'Backoff' Victim?).
Once the company was notified about the potential malware infection, it launched an extensive investigation and retained external digital forensic experts to help determine the facts of the incident.
The investigation has confirmed that the breach stemmed from a compromise of a third-party vendor's account credentials, which the attackers used to access systems at the affected locations across 46 states. "One of our point-of-sale vendors [was] compromised," Peters says. "However, because the investigator's final report has not yet been issued, we are not able to [publicly] identify the third-party vendor whose account credentials were compromised."
The window of compromise for the affected locations ranged from Aug. 1 to Oct. 6. Dairy Queen has also published a complete list of affected stores and when they were compromised.
Information exposed by the breach includes customer names, payment card numbers and expiration dates.
Dairy Queen says the malware has been contained. It is offering free "identity repair" services for one year to customers in the United States who used their payment card at one of the affected locations during the period of the breach.
"We deeply regret any inconvenience this incident may cause," says John Gainor, Dairy Queen's president and CEO. "Our customers are our top priority and we are committed to working with our franchise owners to address the issue."