Backoff malware infects 400 Dairy Queen franchises

By Chad Hemenway on October 10, 2014

DairyQueen370x228The hacked account credentials of a third-party vendor was used to access point-of-sale systems at nearly 400 of Dairy Queen’s 4,500 independently owned franchises in the US.

Dairy Queen confirmed the breach in late August after being confronted by blogger Brian Krebs of Krebs on Security.

An updated notice from CEO John Gainor furthermore confirms Backoff malware was found on franchisees’ systems.

“As a result of our investigation, we discovered evidence that the systems of some DQ locations and one Orange Julius location were infected with the widely-reported Backoff malware that is targeting retailers across the country,” wrote Gainer, who added that the company was “confident” the malware was contained.

A late July DHS advisory prepared in collaboration with the National Cybersecurity and Communications Integration Center, United States Secret Service, Financial Sector Information Sharing and Analysis Center, and Trustwave Spiderlabs warned of a the malware, dubbed “Backoff,” which has been associated with multiple point-of-sale breach investigations. This type of malware has “low to zero percent anti-virus detection rates.”

Dairy Queen said customers’ names, payment card numbers and expiration dates were exposed at varying time periods, depending on location. A list of locations was provided by the ice cream and fast-food chain.

“We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection,” the company’s chief executive said.

Dairy Queen said it is offering free identity repair services for one year to customers who used a payment card at one of the affected locations.

Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or chemenway@advisen.com.