Dairy Queen has acknowledged that it was recently alerted by the U.S. Secret Service to a possible data breach related to the Backoff point-of-sale malware, and has admitted that "customer data at a limited number of stores may be at risk."
The company says it doesn't yet know how many of its locations may be affected.
"We are gathering information from a number of sources, including law enforcement, credit card companies and processors," the company told the Star Tribune.
Investigative reporter Brian Krebs first broke the news of the breach earlier this month when sources at several financial institutions told him they were dealing with fraud on payment cards that had all been used at Dairy Queen locations.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
At one credit union in the Midwest, more than 50 customers were hit with credit card fraud soon after using their credit and debit cards at Dairy Queen locations. The pattern of fraud in that case suggested that the Dairy Queen stores had been compromised at least as early as June 2014.
However, the company denied having heard any reports of fraud as of August 22, 2014, noting that almost every Dairy Queen location is independently owned and operated.
Dairy Queen spokesman Dean Peters told Krebs that the company has no policy in place requiring that franchisees notify Dairy Queen in the case of a security breach.
"At this time, there is no such policy," Peters said. "We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees that they have had any kind of breach."
Rapid7 global security strategist Trey Ford told eSecurity Planet by email that situations like this create a real challenge for franchisees. "Franchise owners and operators will have a harder time locating malicious software -- those equipped to detect, contain, and eradicate miscreants from their systems are the exception, not the rule," he said.
The U.S. Department of Homeland Security (DHS) says more than 1,000 U.S. businesses have already been impacted by the Backoff point-of-sale malware, which was recently responsible for high-profile breaches at 51 UPS Store locations and 180 Supervalu supermarkets and liquor stores.
"Companies that believe they have been the victim of this malware should contact their local Secret Service field office and may contact the NCCIC for additional information," the DHS stated in a recent advisory.