Dairy Queen hacked by same malware that hit Target

Dairy Queen has become the latest major company hit by a data breach. A malware known as  'Backoff' –  the same responsible for the major Target data breach – was found in the computer systems of Dairy Queens across seven states. 

Business Wire
A Dairy Queen store. Dairy Queen is the latest restaurant the announce a data breach at its stores.

The malware that caused a major breach for Target has struck again.

Authorities are investigating the malware, known as "Backoff"  that may have been found on the computer systems of some Dairy Queen restaurants. 

“We have been working on the situation for a couple of days," said Dean Peters, media spokesman for the Minneapolis-based fast-food chain. "The protection of customer data is a top priority for us and our franchisees, and we take it seriously. We, like many other companies, were recently notified that customer data at a limited number of stores may be at risk, due to the widespread proliferation of the 'Backoff' malware. "

The Department of Homeland Security says Backoff is a point of sale malware that exploits "businesses' administrator accounts remotely" and exfiltrates "consumer payment data." The department says the malware was released last October, but was undetectable to current anti-malware software. It's believed to have infected more than 1,000 US businesses, and DHS is urging firms to check for infection. 

"The Secret Service is active in contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this [Backoff] malware," DHS said in a statement.

KrebsOnSecurity, which first reported the story, wrote that financial institutions were dealing with a pattern of fraud from cards used at Dairy Queen in several states, including Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee, and Texas. 

“We’re getting slammed today,” a fraud manager told KrebsOnSecurity Tuesday. “We’re just getting all kinds of fraud cases coming in from members having counterfeit copies of their cards being used at dollar stores and grocery stores.”

Mr. Peters said Dairy Queen is working to investigate the problem. "In addition to communicating with potentially affected franchised locations, credit card processors, and credit card companies to gather relevant information, we immediately began cooperating with the authorities investigating this particular malware," he said.

Most Dairy Queen stores are independently owned and operated franchises, which makes maintaining security of information difficult. Peters told KrebsOnSecurity that Dairy Queen does not require stores to notify the company when a breach happens.

“At this time, there is no such policy,” Peters said. “We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees...”

Julie Conroy, a research director at Aite Group, told KrebsOnSecurity that companies must have a breach notification policy to protect customers and the company's brand.

“This goes back to the eternal challenge with all small merchants. Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.”

Backoff is behind the recent data breaches at Target, Supervalu, and United Parcel Service (UPS). The biggest was at Target, where hackers stole tens of millions of customers' data by taking information directly off the magnetic strip of credit and debit cards during the 2013 holiday shopping season. UPS announced in early August that it was hit by the malware, which affected 100,000 transactions at 51 UPS stores in 24 states.

The Payment Card Industry Security Standards Council released preventative measures against the Backoff malware to businesses Wednesday. PCI said businesses should update anti-virus suites and change passwords to payment systems. But, Avivah Litan, an analyst at Garner, said its too little too late. 

"The damage has already been done and PCI compliance processes did not stop this attack" Ms. Litan told Computerworld. "There's no new rules or mandates here.... The PCI Council and the card brands, banks, payment processors need to make the payment system more secure and stop putting all the responsibility on the retailers to patch an inherently flawed system."

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.