Fast food chain Dairy Queen is pushing out a security story and it's anything but sweet. The international firm on Thursday confirmed cyber criminals hit systems at some of its DQ locations and one Orange Julius location in the United States.
Dairy Queen blamed the Backoff point-of-sale malware that has been infiltrating retail systems around the country. This is the same malware that invaded Target’s systems last year, costing shareholders about $148 million.
“We are committed to working with and supporting our affected DQ and Orange Julius franchise owners to address this incident,” said John Gainor, president and CEO of International Dairy Queen. “Our customers continue to be our top priority.”
Good News, Bad News
The Department of Homeland Security’s US-CERT sent out an alert on July 31 about the malware variant targeting POS machines and revelations of its damage have been making headlines ever since. Another large victim was Home Depot, which confirmed a data breach that put about 56 million customer credit cards at risk.
For Dairy Queen’s part, the company first reported a hack on August 28 and announced an investigation, including hiring forensic experts to determine the breadth of the breach. Since almost all DQ and Orange Julius locations are independently owned and operated, this meant working closely with affected franchise owners, as well as law enforcement authorities and the payment card brands, to get some solid answers.
The results of the investigation revealed startling news: A third-party vendor’s compromised account credentials were used to access systems at some locations. DQ also reported that Backoff malware impacted payment card data at 395 of the more than 4,500 U.S. locations.
Drilling deeper, the affected systems contained payment card customer names, numbers and expiration dates. The good news is DQ has no evidence that other customer personal information, such as Social Security numbers, PINs or e-mail addresses, was compromised in the attack. Finally, DQ is certain the malware has been contained.
Pay With Cash?
John Prisco, president and CEO of real-time malware detection and remediation firm Triumfant, told he us expects more reports like this one in the days ahead.
“Would you like a breach with your sundae? Dairy Queen is another example of a company that is easy pickings for cybercriminals,” Prisco said. “There are a thousand more unprepared companies that will grace the front page of our newspapers over the next year. I scream, you scream, we all scream . . . pay with cash!”
Dairy Queen is offering free identity repair services for one year to customers in the U.S. who used their payment cards at one of the impacted restaurant locations during the time period in which the breach occurred.
Posted: 2014-10-10 @ 1:30pm PT
Why is it that all of these companies have the situation well in hand (fixed) AFTER the hack takes place? Why don't these companies put the systems in place now before these hacks occur? We're all at risk and from now on always will be. For the lesser price of securing their info. systems, they could avoid the terrible press they're getting and the loss of customer confidence which will be their undoing.
Posted: 2014-10-10 @ 12:41pm PT
Now I know why all those DQ windows seem to have soft-serve ice cream all over the inside of them.