The hacked account credentials of a third-party vendor was used to access point-of-sale systems at nearly 400 of Dairy Queen’s 4,500 independently owned franchises in the US.
Dairy Queen confirmed the breach in late August after being confronted by blogger Brian Krebs of Krebs on Security.
An updated notice from CEO John Gainor furthermore confirms Backoff malware was found on franchisees’ systems.
“As a result of our investigation, we discovered evidence that the systems of some DQ locations and one Orange Julius location were infected with the widely-reported Backoff malware that is targeting retailers across the country,” wrote Gainer, who added that the company was “confident” the malware was contained.
A late July DHS advisory prepared in collaboration with the National Cybersecurity and Communications Integration Center, United States Secret Service, Financial Sector Information Sharing and Analysis Center, and Trustwave Spiderlabs warned of a the malware, dubbed “Backoff,” which has been associated with multiple point-of-sale breach investigations. This type of malware has “low to zero percent anti-virus detection rates.”
Dairy Queen said customers’ names, payment card numbers and expiration dates were exposed at varying time periods, depending on location. A list of locations was provided by the ice cream and fast-food chain.
“We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection,” the company’s chief executive said.
Dairy Queen said it is offering free identity repair services for one year to customers who used a payment card at one of the affected locations.