Dairy Queen confirms Backoff malware led to data breach

In a statement, Dairy Queen says that POS malware was discovered on systems in 395 stores

dairy queen grill chill sign
Credit: Jim Legans, Jr

On Thursday, the Minneapolis-based Dairy Queen confirmed a data breach that impacts 395 stores. The fast food chain says that the source of the breach itself is the same family of POS malware that gained attention earlier this summer after an advisory from the US Secret Service made the rounds.

The malware is called Backoff, and according to Dairy Queen's statement, it compromised payment card data at 396 stores.

The public first learned of Backoff in July, after the US Secret Service issued an advisory warning that criminals were targeting poorly protected instances of RDP, including services from Microsoft, Apple, Chrome, Splashtop 2, Pulseway, LogMeIn, and Join.Me. At the time, criminals had targeted some 600 businesses with the POS malware.

There were rumors that Dairy Queen was one of those businesses, but the company denied them at first, but on August 28, they changed their stance after the US Secret Service informed them of "suspicious activity" related to variant of Backoff. Dairy Queen promised an investigation, the results of which were in Thursday's announcement.

Dairy Queen has published a list of stores that were impacted, sorted by state, along with the dates that the malware was actively collecting data. Based on the details, the malware was active between August 1 and September 23.

An investigation into the incident revealed that a third-party vendor’s compromised account credentials were used to access systems at some locations, but details as to who the vendor was or what their credentials were used for remains unknown.

"We deeply regret any inconvenience this incident may cause. Our customers are our top priority and we are committed to working with our franchise owners to address the issue," said Dairy Queen's CEO, John Gainor, in a statement.

The company is offering one year of credit monitoring through AllClear ID to anyone who had their card details exposed during the incident. The offer began on October 9, and will remain available for the next 12 months.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.