Dairy Queen hacked by same malware that hit Target

Dairy Queen has become the latest major company hit by a data breach. A malware known as  'Backoff' –  the same responsible for the major Target data breach – was found in the computer systems of Dairy Queens across seven states. 

  • close
    A Dairy Queen store. Dairy Queen is the latest restaurant the announce a data breach at its stores.
    Business Wire
    View Caption
  • About video ads
    View Caption

The malware that caused a major breach for Target has struck again.

Authorities are investigating the malware, known as "Backoff"  that may have been found on the computer systems of some Dairy Queen restaurants. 

“We have been working on the situation for a couple of days," said Dean Peters, media spokesman for the Minneapolis-based fast-food chain. "The protection of customer data is a top priority for us and our franchisees, and we take it seriously. We, like many other companies, were recently notified that customer data at a limited number of stores may be at risk, due to the widespread proliferation of the 'Backoff' malware. "

The Department of Homeland Security says Backoff is a point of sale malware that exploits "businesses' administrator accounts remotely" and exfiltrates "consumer payment data." The department says the malware was released last October, but was undetectable to current anti-malware software. It's believed to have infected more than 1,000 US businesses, and DHS is urging firms to check for infection. 

"The Secret Service is active in contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this [Backoff] malware," DHS said in a statement.

KrebsOnSecurity, which first reported the story, wrote that financial institutions were dealing with a pattern of fraud from cards used at Dairy Queen in several states, including Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee, and Texas. 

“We’re getting slammed today,” a fraud manager told KrebsOnSecurity Tuesday. “We’re just getting all kinds of fraud cases coming in from members having counterfeit copies of their cards being used at dollar stores and grocery stores.”

Mr. Peters said Dairy Queen is working to investigate the problem. "In addition to communicating with potentially affected franchised locations, credit card processors, and credit card companies to gather relevant information, we immediately began cooperating with the authorities investigating this particular malware," he said.

Most Dairy Queen stores are independently owned and operated franchises, which makes maintaining security of information difficult. Peters told KrebsOnSecurity that Dairy Queen does not require stores to notify the company when a breach happens.

“At this time, there is no such policy,” Peters said. “We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees...”

Julie Conroy, a research director at Aite Group, told KrebsOnSecurity that companies must have a breach notification policy to protect customers and the company's brand.

“This goes back to the eternal challenge with all small merchants. Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.”

Backoff is behind the recent data breaches at Target, Supervalu, and United Parcel Service (UPS). The biggest was at Target, where hackers stole tens of millions of customers' data by taking information directly off the magnetic strip of credit and debit cards during the 2013 holiday shopping season. UPS announced in early August that it was hit by the malware, which affected 100,000 transactions at 51 UPS stores in 24 states.

The Payment Card Industry Security Standards Council released preventative measures against the Backoff malware to businesses Wednesday. PCI said businesses should update anti-virus suites and change passwords to payment systems. But, Avivah Litan, an analyst at Garner, said its too little too late. 

"The damage has already been done and PCI compliance processes did not stop this attack" Ms. Litan told Computerworld. "There's no new rules or mandates here.... The PCI Council and the card brands, banks, payment processors need to make the payment system more secure and stop putting all the responsibility on the retailers to patch an inherently flawed system."

Make a Difference
Inspired? Here are some ways to make a difference on this issue.
FREE Newsletters
Get the Monitor stories you care about delivered to your inbox.

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.




Save for later


Saved ( of items)

This item has been saved to read later from any device.
Access saved items through your user name at the top of the page.

View Saved Items


Failed to save

You reached the limit of 20 saved items.
Please visit following link to manage you saved items.

View Saved Items


Failed to save

You have already saved this item.

View Saved Items