Dairy Queen Acknowledges Major Credit Card Breach

On October 9, 2014, Dairy Queen acknowledged that almost 400 Dairy Queen locations and one Orange Julius location had been infected with the Backoff malware, providing attackers with access to an undisclosed number of customer names, payment card numbers and expiration dates.

Investigative reporter Brian Krebs first broke the news of the breach in August 2014, but at the time, Dairy Queen would only admit that it was investigating a possible breach and that “customer data at a limited number of stores may be at risk.”

The company now says an “extensive investigation” with the help of external forensic experts has determined that “a third-party vendor’s compromised account credentials were used to access systems” at the affected stores.

Although Dairy Queen hasn’t named the third-party vendor involved, Krebs reports that the vendor was point-of-sale solutions provider Panasonic Retail Information Systems.

“To the best of our knowledge, these types of malware breaches are generally associated with network security vulnerabilities and are not related to the point-of-sale hardware we provide,” Panasonic told Krebs. “Panasonic stands ready to provide whatever assistance we can to our customers in resolving the issue.”

A list of all affected locations, along with the length of time each location was affected, is available here. While the time periods vary widely, systems at affected stores were infected for as long as seven weeks.

“Based on our investigation, we are confident that this malware has been contained,” Dairy Queen said in a statement.

Two other recent retail breaches followed the same pattern — Goodwill Industries acknowledged last month that customer payment card data was exposed at 330 Goodwill stores in 20 states when the systems of third-party point-of-sale provider C&K Systems were infected with malware.

And sandwich chain Jimmy John’s admitted in late September 2014 that customer payment card data was stolen from 216 of its stores when the systems of point-of-sale vendor Signature Systems were infected with malware. Signature Systems reported that 108 independent restaurants were also affected.

“We have determined that an unauthorized person gained access to a user name and password that Signature Systems used to remotely access PoS systems,” Signature said at the time. “The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants.”

Neohapsis security consultant Joe Schumacher told eSecurity Planet by email that some basic precautions should be taken in response to breaches like these, such as enabling vendors’ accounts only when access is needed.

“If the vendor access is through a remote connection, then two factor authentication should be issued for each account the vendor needs to give accountable individuals access for vendor services,” Schumacher added. “Along with the (central) monitoring of activities, businesses should look to set alerts on all non-standard activity, especially with vendor accounts.”

In late August, the U.S. Department of Homeland Security issued an advisory warning that the Backoff malware had already affected more than 1,000 U.S. businesses.

“DHS strongly recommends actively contacting your IT team, antivirus vendor, managed service provider, and/or point of sale system vendor to assess whether your assets may be vulnerable and/or compromised,” the advisory stated.

Trustwave threat intelligence manager Karl Sigler recently provided eSecurity Planet with a demonstration of the Backoff malware at the Black Hat conference in Las Vegas.

Photo courtesy of Shutterstock.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles