Nationwide fast-food chain Dairy Queen on Thursday confirmed that malware installed on cash registers at some 395 stores resulted in the theft of customer credit and debit card information. The acknowledgement comes nearly six weeks after this publication first broke the news that multiple banks were reporting indications of a card breach at Dairy Queen locations across the country.
In a statement issued Oct. 9, Dairy Queen listed nearly 400 DQ locations and one Orange Julius location that were found to be infected with the widely-reported Backoff malware that is targeting retailers across the country.
Curiously, Dairy Queen said that it learned about the incident in late August from law enforcement officials. However, when I first reached out to Dairy Queen on Aug. 22 about reports from banking sources that the company was likely the victim of a breach, the company said it had no indication of a card breach at any of its 4,500+ locations. Asked about the apparent discrepancy, Dairy Queen spokesman Dean Peters said that by the time I called the company and inquired about the breach, Dairy Queen’s legal team had indeed already been notified by law enforcement.
“When I told you we had no knowledge, I was being truthful,” Peters said. “However, I didn’t know at that time that someone [from law enforcement] had already contacted Dairy Queen.”
In answer to inquiries from this publication, Dairy Queen said its investigation revealed that the same third-party point-of-sale vendor was used at all of the breached locations, although it declined to name the affected vendor. However, multiple sources contacted by this reporter said the point-of-sale vendor in question was Panasonic Retail Information Systems.
In response to questions from KrebsOnSecurity, Panasonic issued the following non-denial statement:
“Panasonic is proud that we can count Dairy Queen as a point-of-sale hardware customer. We have seen the media reports this morning about the data breaches in a number of Dairy Queen outlets. To the best of our knowledge, these types of malware breaches are generally associated with network security vulnerabilities and are not related to the point-of-sale hardware we provide. Panasonic stands ready to provide whatever assistance we can to our customers in resolving the issue.”
The Backoff malware that was found on compromised Dairy Queen point-of-sale terminals is typically installed after attackers compromise remote access tools that allow users to connect to the systems over the Internet. All too often, the user accounts for these remote access tools are protected by weak or easy-to-guess username and password pairs.
The incident at DQ fits a pattern of breaches involving retail chains that rely heavily on franchisees and poorly-secured point-of-sale products which allow remote access over the Internet. On Sept. 24, nationwide sandwich chain Jimmy John’s confirmed reports first published in this blog about a likely point-of-sale breach at the company’s stores. While there are more than 1,900 franchised Jimmy John’s locations, only 216 were hit, and they were all running the same point-of-sale software from Newtown, Pa. based Signature Systems. On Sept. 26, Signature disclosed that at least 100 other mom-and-pop restaurants that it serves were compromised through its point-of-sale systems.
Earlier in September, KrebsOnSecurity reported that a different hacked point-of-sale provider was the driver behind a breach that impacted more than 330 Goodwill locations nationwide. That breach, which targeted payment vendor C&K Systems Inc., persisted for 18 months, and involved two other as-yet unnamed C&K customers.
Dairy Queen said that it will be offering free credit monitoring services to affected customers. This has become the standard response for companies trying to burnish their public image in the wake of a card breach, even though credit monitoring services do nothing to help consumers detect or prevent fraud on existing accounts — such as credit and debit cards.
There is no substitute for monitoring your monthly bank and credit card statements for unauthorized or suspicious transactions. If you’re looking for information about how to protect yourself or loved ones from identity thieves, check out the tips in the latter half of this article.