A data breach at International Dairy Queen, Inc. has resulted in systems at 395 of its more than 4,500 U.S. stores and one Orange Julius location being infected with the same Backoff malware that has plagued other retailers nationwide and exposed customer payment information.
Dairy Queen had already been under scrutiny for a possible malware issue that could have impacted payment cards that were used in some U.S. locations. After what it called “an extensive investigation” by outside forensic experts, the company determined, in what is becoming a familiar refrain, attackers compromised account credentials of a third-party vendor to gain access to the systems.
In a press release detailing the investigation's findings, Dairy Queen included a list of the locations hit as well as the time periods that Backoff was present on their systems, which varied by location. Those systems housed customer payment card information, including names, account numbers and expiration dates. “The company has no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, was compromised as a result of this malware infection,” the company said in the release.
Dairy Queen said it was “confident” that its efforts had contained the malware.
Backoff has proven to be a formidable foe for retailers, brute-forcing popular remote desktop software to infect point-of-sale (POS) devices at Goodwill, Target, Mizado Cocina in New Orleans, P.F. Chang's and hundreds of others. The malware's spread prompted a summer alert from the U.S. Computer Emergency Readiness Team (US-CERT) followed by an urgent request in August by the Payment Card Industry Security Standards Council (PCI SSC) for merchants to contact their AV provider to ensure their software detects Backoff.
“This very targeted malware emerged in just the last year and has had a devastating success rate at being able to steal [a] massive amount of credit cards from well known retailers around the globe. We think that many more have been compromised but have not yet discovered or announced the breaches publicly,” ThreatStream CTO Greg Martin said in a statement sent to SCMagazine.com
He added that retailers not only are under increased pressure to improve their security controls but Backoff has also upped the need for “collaboration and information sharing with other retail organizations in regards to cyber threats.”
Dairy Queen said it would provide free identity repair services for one year to customers in the U.S. who used their payment card at a DQ location or Orange Julius site affected by Backoff malware infection “during the relevant time period.”