10
Oct 14

Dairy Queen Confirms Breach at 395 Stores

Nationwide fast-food chain Dairy Queen on Thursday confirmed that malware installed on cash registers at some 395 stores resulted in the theft of customer credit and debit card information. The acknowledgement comes nearly six weeks after this publication first broke the news that multiple banks were reporting indications of a card breach at Dairy Queen locations across the country.

dqIn a statement issued Oct. 9, Dairy Queen listed nearly 400 DQ locations and one Orange Julius location that were found to be infected with the widely-reported Backoff malware that is targeting retailers across the country.

Curiously, Dairy Queen said that it learned about the incident in late August from law enforcement officials. However, when I first reached out to Dairy Queen on Aug. 22 about reports from banking sources that the company was likely the victim of a breach, the company said it had no indication of a card breach at any of its 4,500+ locations. Asked about the apparent discrepancy, Dairy Queen spokesman Dean Peters said that by the time I called the company and inquired about the breach, Dairy Queen’s legal team had indeed already been notified by law enforcement.

“When I told you we had no knowledge, I was being truthful,” Peters said. “However, I didn’t know at that time that someone [from law enforcement] had already contacted Dairy Queen.”

In answer to inquiries from this publication, Dairy Queen said its investigation revealed that the same third-party point-of-sale vendor was used at all of the breached locations, although it declined to name the affected vendor. However, multiple sources contacted by this reporter said the point-of-sale vendor in question was Panasonic Retail Information Systems.

In response to questions from KrebsOnSecurity, Panasonic issued the following non-denial statement:

“Panasonic is proud that we can count Dairy Queen as a point-of-sale hardware customer. We have seen the media reports this morning about the data breaches in a number of Dairy Queen outlets. To the best of our knowledge, these types of malware breaches are generally associated with network security vulnerabilities and are not related to the point-of-sale hardware we provide. Panasonic stands ready to provide whatever assistance we can to our customers in resolving the issue.”

The Backoff malware that was found on compromised Dairy Queen point-of-sale terminals is typically installed after attackers compromise remote access tools that allow users to connect to the systems over the Internet. All too often, the user accounts for these remote access tools are protected by weak or easy-to-guess username and password pairs.

The incident at DQ fits a pattern of breaches involving retail chains that rely heavily on franchisees and poorly-secured point-of-sale products which allow remote access over the Internet. On Sept. 24, nationwide sandwich chain Jimmy John’s confirmed reports first published in this blog about a likely point-of-sale breach at the company’s stores. While there are more than 1,900 franchised Jimmy John’s locations, only 216 were hit, and they were all running the same point-of-sale software from Newtown, Pa. based Signature Systems. On Sept. 26, Signature disclosed that at least 100 other mom-and-pop restaurants that it serves were compromised through its point-of-sale systems.

Earlier in September, KrebsOnSecurity reported that a different hacked point-of-sale provider was the driver behind a breach that impacted more than 330 Goodwill locations nationwide. That breach, which targeted payment vendor C&K Systems Inc., persisted for 18 months, and involved two other as-yet unnamed C&K customers.

Dairy Queen said that it will be offering free credit monitoring services to affected customers. This has become the standard response for companies trying to burnish their public image in the wake of a card breach, even though credit monitoring services do nothing to help consumers detect or prevent fraud on existing accounts — such as credit and debit cards.

There is no substitute for monitoring your monthly bank and credit card statements for unauthorized or suspicious transactions. If you’re looking for information about how to protect yourself or loved ones from identity thieves, check out the tips in the latter half of this article.

Tags: , , , , ,

41 comments

  1. Great follow up Brian – please keep doing this awesome job. The credit card POS landscape in the U.S. seems totally insecure (doesn’t seem to matter who the vendor is).

    Resigned myself to using cash for daily small things and one credit card for other things, that I am assuming will only last for 6 months or less prior to needing to get replaced. Had our credit card get used by Target, Home Depot, DQ and Goodwill during their vulnerable timelines.

    • Ouch. You should play the lottery :-)

      Joking aside, I’ve started using a separate card for automatic payments (utilities, etc), since those are rarely if every breached. That way if a card is compromised at a retail establishment, it is absolutely no skin off my back to get a replacement card from the bank and shred the now-compromised one.

      • Oh, and +1 to “There is no substitute for monitoring your monthly bank and credit card statements for unauthorized or suspicious transactions.”

        • The Human Defense

          David,
          Yes, that is a great point. Always appreciate Brian’s reporting style. He never just says here is the issue, without always making sure there is a possible way to reduce the risk.
          I have conducted several interviews with reporters in the last 60 days on this subject, and it’s really pathetic how all they want to do is dramatize the issue vs. really focus on the solutions/helpful information.

    • I haven’t been in a K mart in several years, like to see them shuttered for good, ditto Sears which is stuck in the ’60’s, store is crammed/cluttered and 70 yr. old buildings. Use cash and for large amounts write a check. Credit cards are fine for mail order. We have a Blue bird card for ebay. All stores are suspect until they come out with the chip next year.

      • Since when do any retail stores still take checks???

      • Why do so many misunderstand this entire issue and EMV/Chip and PIN?

        Until ALL credit cards issued and in use are void of the mag stripe, and until ALL merchants refuse to accept mag stripe cards, EMV / Chip and PIN / Chip and SIGN, do ABSOLUTELY NOTHING to prevent your card data from being stolen. If you could request a credit card with no mag stripe, you would be hard pressed to find anywhere to shop with it. So as long as that little mag stripe is on the back of the card, you are at risk. Once that goes away, the criminals will already have figured out how to counterfeit those. (Google anything about counterfeiting and your pessimism of my statement will be shot) The only FIX for this is for the banks to build a system where the merchants DO NOT take possession in any way, shape or form the consumer’s credit card number. i.e. HW encryption and tokenization. Secondly, you should never have to pay for a fraudulent charge in the US. Monitor charges to your card(s) and report any suspect charges immediately. These hacks should be at most an inconvenience to card holders.

  2. The Human Defense

    Brian,
    Excellent article, and I remember reading your original article on this situation.
    My question for you is to confirm a portion of your original post, or at least I believe it was from your post.
    They (DQ/Orange Julius) do not have a centralized cyber incident/breach process or business continuity policy. Additionally, as I recall, no real way of knowing just how many of their stores were impacted. Therefore, could the list of stores grow, or have they used law enforcement and other 3rd party vendors to investigate and eradicate all of the malware and the list stands as is?

  3. “There is no substitute for monitoring your monthly bank and credit card statements for unauthorized or suspicious transactions.”

    I just have to put in a plug for Bank of America’s My Portfolio and 2 step authentication. I see every transaction on every account I have on a daily basis, even when the account is at another financial institution.

    I caught a compromised credit card with a very low fraudulent charge a few years ago monitoring all account activity.

  4. I was lucky to be unaffected by all the major breaches the last couple years except for this one.
    I got an icecream cake at DQ in June and out of the blue in August my bank replaced my card because of fraud at an unnamed business. I suspected DQ before but now I am certain.
    The cake was poorly made and I got my cc number stolen so that will probably be my last purchase from them.

  5. Wow, the date for that last compromise shows 2014 October 6 on the list of locations. So they were still leaking up to last Monday.

  6. My card was one that was compromised and the Dairy Queen in Carterville Illinois that I use is not on the list. I would suspect this is not a fill list.

  7. So I went to the Panasonic website that was referenced in the article to see what kind of knuckleheads they were. The proudly reference MicroSale as a partner, but if you click on the ‘learn more’ link it takes you to a website that is entirely in Chinese! WTF? At least I know what kind of knuckleheads they are, now.

    • Update: Its actually a website in Japanese titled (via Google Translate) ‘Sex Shop in Gotanda.’ No mention as to whether they take credit cards, though.

    • The Human Defense

      Munch,
      Your chosen name of this organization appears accurate based on your visit to their site and subsequent link. It’s irritating that companies cannot just take the time and money to consistently audit their sites for these type of hygiene issues. Nice work, now you may want to review your system for any type of malware….just saying

  8. Dairy Queen is merely offering “Identity Repair Services” – which does not include actual Credit Monitoring.

    “Identity Repair Services. We are offering affected customers in the U.S. who used their payment card at one of the impacted Dairy Queen locations or the one impacted Orange Julius location during the relevant time period identity repair services (AllClear SECURE) from AllClear ID for one year at no cost to them. These services start on October 9, 2014 and will be available at any time during the next 12 months. These services provide affected customers with a dedicated investigator to assist them with fraud-related issues arising from this incident. These services are automatically available to affected customers and no enrollment is required. Affected customers may receive these fraud assistance services by calling 1-855-865-4456.”

    So pretty much they’re saying they’ll send you a packet in the mail if you’ve become a victim, and you’re on your own. Not that Credit Monitoring is the solution anyway … but just wanted to make that point. They are hardly offering anything to their compromised customers.

    • Because it’s not necessary! The data about you that was stolen through the DQ breach cannot be used to setup a line of credit in your name; if a fraudulent card is created using your card’s information, it will still hit your account, that’s why the advice is to watch for charges to THAT account which you did not make. A credit reporting service will not do that for you.

      DQ, like others, is just offering the Band-Aid for your boo-boo. You’re not really hurt, you don’t really need the Band-Aid, but it might make you feel better. They are servicing their ignorant customers who psychologically get some comfort out of knowing that they have some sort of monitoring or repair service offered by DQ.

  9. It wasn’t the Panasonic registers.

    • The affected registers in the DQ breach were the Positouch ones NOT the Panasonic registers. The statement that Pansonic provided while full of CYA legalese is correct in its denial.

  10. Panasonic: “To the best of our knowledge, these types of malware breaches are generally associated with network security vulnerabilities and are not related to the point-of-sale hardware we provide.”

    Nice to see Panasonic so glibly wash their hands of any culpability. Did they (or should they have) at least suggested to their customers to check the network security of the terminals? How long has Panasonic known that incorrectly or sloppily configured terminals might be vulnerable?

  11. “When I told you we had no knowledge, I was being truthful,” Peters said. “However, I didn’t know at that time that someone [from law enforcement] had already contacted Dairy Queen.”

    So a spokesman answers without actually doing any research inside his company on the question? And then says he was being truthful?

  12. Were any Dairy Queen or Orange Julius locations in Canada affected?

  13. The DQ I go to changed out their PBS machines a month ago. Also, does anyone know if the list is just corporate DQ’s ours is family owned and it is not on the list.

    • DQ is now primarily a franchising company. They have only a couple of corporate owned stores, having sold off most of them a few years back. The flagship corporate store in Minnesota was not affected.

  14. Yet another US-based franchise business with locations in Canada but no Canadian outlets were victims. Seems to be an ongoing trend – what is the reason? Canada too small, different cards/pos systems, better security?

    Apart from Home Depot there has to be a reason why US outlets are being breached but their sister-stores across the border(s) (some in Mexico too) are not. Anyone? Bueuller?

    • I have been to Canada a few times over the past couple years and can tell you that the businesses there use the chip n sign system. When paying for your meal at a restaurant, they do not take your credit card either. Instead they bring a wireless credit card terminal to your table and wait while you stick the card in (or swipe it in my case). During the whole transaction the waiter/waitress never touches the credit card. I had a couple of staff give me funny looks when I swiped instead of sticking the card in the chip reader. Had to show them my card did not have a chip. So I am not surprise we are not seeing breaches for the Canadian subsidiaries of U.S. companies.

    • Different credit card processors in Canada than their American counterparts.

  15. “Those in Canada and especially Mexico are probably breached and the retailer or vendor just plain does not know, know how to know or never will know and so on , , , .”

    Says with tong in cheek but with dead serious face.

    I have great friends who are Mexican and Canadian.

  16. 400 stores out of 4,500 is 8%. I can’t find source to verify, but I seem to remember that there was a percentage of systems that could be out of compliance with PCI if there was a plan in underway to address them. I wonder if the affected systems were part of that group.

  17. Shivraj Asthana

    Are number of such attacks snowballing lately because the window of opportunity will be open only till next October, when the “chip-n-pin” system gets implemented (hopefully)?

    • It’s “chip-n-sign” rather than “chip-n-PIN’, unfortunately.

      I have no idea why they didn’t go the whole way but they didn’t.

      • For this type of fraud PIN has no added benefit. What is currently occurring is that fraudsters are stealing track 2 data from magstripe transactions. the track data can then be used to create counterfeit cards with magstripes to be used fraudulently. In an EMV environment, the track data that would be compromised would not allow fraudsters to create fake magstripes since the data will no validate correctly (assuming the issuer is checking CVC/CVV for magstripe transactions). In addition the data can’t be used to create fake chip cards either (assuming the issuers are checking ARQC). This leaves the only avenue for fraudsters as card not present fraud at locations that don’t require CVC2 validation (CVC2 is not part of the track 2 data regardless of mag or EMV and therefore is not compromised in this scenario). All this is true whether you use PIN or not. the chip part of “chip and PIN” prevents counterfeit magstripe cards from being created. the PIN prevents someone who physically steals your card from using it. PIN only mitigates lost/stolen fraud and not skim/counterfeit fraud. lost/stolen fraud is very rare and too small for most issuers to worry about. Typically, skimming/counterfeit accounts for 35%-45% of fraud losses. lost/stolen is bout 5%.

  18. Hello Brian, I left a comment yesterday in the late afternoon on the Dairy Queen story – it was marked “awaiting moderation”. Later in the evening I was unable to contact your site for several hours (DOS attack?).
    This morning the comment is gone.
    Was the comment lost on the difficulties? Or was it deleted as inappropriate? If so, why? I don’t want to make the same error again.

    I am a long-time fan and I have great respect for your work.

    Also, the means to contact you is gone from the site (too much overhead?) – I would have used that.

    Please don’t post this as a comment. I just want to know what happened to my comment on the Dairy Queen story.

    Thanks and regards.

  19. I’d love to see data that correlates fraud losses to higher prices. Fraud losses/expenses are a miniscule fraction of a bank’s operating costs and losses. I can tell you that if our fraud losses at the bank I work increased by 300% it would barely make a dent in our bottom line.

    Between Target and Home Depot the division I work for had about 100,000 accounts “compromised”. Less than 5% of those experienced fraud and the total losses were less than $1,000,000. The revenue earned on the remaining accounts dwarfs the fraud losses.

    Having said that we still need to plan and account for these “unexpected” data breaches and adjust our fraud expense forecast but that’s just to make the accountants happy. At the end of the day fraud is a slight nuisance at most. Hell we lost $1,000,000 in two days over an EMV attack (our typical losses over a month is $1,000,000) and no one blinked.

  20. Again, Trustwave is connected to yet another security breach! Trustwave acquired a company called SecureConnect in April of 2013. Trustwave has only been concerned about acquiring smaller, with perhaps less revenue, and ironically, directly competitive companies for several years now. They couldn’t care less about the current customers that came along with the acquisition, they were practically forced into buying their false layer of “trust”. If you do the research you will find that Trustwave is at the core of these breaches. Target, JP Morgan, Dairy Queen and probably countless others!

  21. [INSERT BREACHED COMPANY NAME HERE] “would be offering free credit monitoring protection ..”

    It must extend to just about every US card holder by now!

  22. if PCI would take a very simple step: encrypt the magnetic stripe data, keeping the key only within PCI processing centers they could fix most of the current mess with just a software change. no need to replace all the pos terminals.

    the merchant system would have to forward the amount of the invoice together with the cipher text off the mag strip to the PCI process center where it would be decrypted. on approval the approval code and EFT are returned to the merchant.