The malware that caused a major breach for Target has struck again.
Authorities are investigating the malware, known as "Backoff" that may have been found on the computer systems of some Dairy Queen restaurants.
“We have been working on the situation for a couple of days," said Dean Peters, media spokesman for the Minneapolis-based fast-food chain. "The protection of customer data is a top priority for us and our franchisees, and we take it seriously. We, like many other companies, were recently notified that customer data at a limited number of stores may be at risk, due to the widespread proliferation of the 'Backoff' malware. "
The Department of Homeland Security says Backoff is a point of sale malware that exploits "businesses' administrator accounts remotely" and exfiltrates "consumer payment data." The department says the malware was released last October, but was undetectable to current anti-malware software. It's believed to have infected more than 1,000 US businesses, and DHS is urging firms to check for infection.
"The Secret Service is active in contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this [Backoff] malware," DHS said in a statement.
KrebsOnSecurity, which first reported the story, wrote that financial institutions were dealing with a pattern of fraud from cards used at Dairy Queen in several states, including Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee, and Texas.
“We’re getting slammed today,” a fraud manager told KrebsOnSecurity Tuesday. “We’re just getting all kinds of fraud cases coming in from members having counterfeit copies of their cards being used at dollar stores and grocery stores.”
Mr. Peters said Dairy Queen is working to investigate the problem. "In addition to communicating with potentially affected franchised locations, credit card processors, and credit card companies to gather relevant information, we immediately began cooperating with the authorities investigating this particular malware," he said.
Most Dairy Queen stores are independently owned and operated franchises, which makes maintaining security of information difficult. Peters told KrebsOnSecurity that Dairy Queen does not require stores to notify the company when a breach happens.
“At this time, there is no such policy,” Peters said. “We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees...”
Julie Conroy, a research director at Aite Group, told KrebsOnSecurity that companies must have a breach notification policy to protect customers and the company's brand.
“This goes back to the eternal challenge with all small merchants. Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.”
Backoff is behind the recent data breaches at Target, Supervalu, and United Parcel Service (UPS). The biggest was at Target, where hackers stole tens of millions of customers' data by taking information directly off the magnetic strip of credit and debit cards during the 2013 holiday shopping season. UPS announced in early August that it was hit by the malware, which affected 100,000 transactions at 51 UPS stores in 24 states.
The Payment Card Industry Security Standards Council released preventative measures against the Backoff malware to businesses Wednesday. PCI said businesses should update anti-virus suites and change passwords to payment systems. But, Avivah Litan, an analyst at Garner, said its too little too late.
"The damage has already been done and PCI compliance processes did not stop this attack" Ms. Litan told Computerworld. "There's no new rules or mandates here.... The PCI Council and the card brands, banks, payment processors need to make the payment system more secure and stop putting all the responsibility on the retailers to patch an inherently flawed system."