Dairy Queen update: almost 400 locations affected by Backoff malware
The Dairy Queen breach, first reported in August, is back in the news this week as more details emerged. In a statement issued yesterday, they write (emphasis added by me):
International Dairy Queen, Inc. recently learned of a possible malware intrusion that may have affected some payment cards at certain DQ® locations and one Orange Julius® location in the U.S. Upon learning of the issue, we launched an extensive investigation and retained external forensic experts to help determine the facts. Because nearly all DQ and Orange Julius locations are independently owned and operated, we worked closely with affected franchise owners, as well as law enforcement authorities and the payment card brands, to assess the nature and scope of the issue. As a result of our investigation, we discovered evidence that the systems of some DQ locations and one Orange Julius location were infected with the widely-reported Backoff malware that is targeting retailers across the country. The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at those locations.
Based on the investigation, we have established the following:
- The Backoff malware was present on systems at a small percentage of locations in the U.S.
- The time periods during which the Backoff malware was present on the affected systems vary by location. A list of impacted DQ locations and the one Orange Julius location, as well as the relevant time periods, is available here.
- The affected systems contained customers’ names, payment card numbers and expiration dates. We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection.
- Based on our investigation, we are confident that this malware has been contained.
We deeply regret any inconvenience this incident may cause. Our customers are our top priority and we are committed to working with our franchise owners to address the issue.
We are notifying DQ and Orange Julius customers about this incident so they can take steps to help protect their information. You are entitled under U.S. law to one free credit report annually from each of the three nationwide consumer reporting agencies. We encourage you to remain vigilant by reviewing your account statements and monitoring your free credit reports. If you believe your payment card may have been affected, contact your bank or payment card issuer immediately. Additional information and security tips are available here.
We are offering free identity repair services for one year to customers in the U.S. who used their payment card at one of the impacted locations during the relevant time period. Information on these services and eligibility can be found here.
If you have any questions about this issue, please call us toll–free at 1-855-865-4456, Monday through Saturday from 8 a.m. CT to 8 p.m. CT.
We sincerely apologize for any inconvenience this may have caused you.