14 DAY TRIAL // The data breach at Dairy Queen was acknowledged by the company in late August, but confirmation of the Backoff POS malware was provided on Thursday, along with information that 396 stores had been impacted.
One of the affected locations is an Orange Julius, all the rest functioning under the Dairy Queen (DQ) brand. Most of the stores are independently owned and operated, an aspect which generally makes the investigation of such an incident take longer.
DQ was alerted of possible breach in August
When the company first received news of a possible compromise of the payment systems in late August, it denied that fraud reports had been received. Later, the US Secret Service contacted Dairy Queen representatives to inform that a piece of POS malware affecting hundreds of retailers was present on their payment processing systems, too.
Speculation about Backoff being at fault hovered since then, given that it was the only POS malware at the time with a major impact on retailers. The Department of Homeland Security issued an advisory around that time about Backoff impacting more than 1,000 businesses.
Third-party vendor blamed for losing customer card data
In a recent statement, Dairy Queen President and CEO John Gainor said that Backoff managed to pull only customers’ names, payment card numbers and expiration dates from different locations in the US, with no evidence pointing to leaking social security numbers, PINs or email addresses.
He said that following the investigation of the incident the credentials of a third-party vendor were stolen and used to access systems at the compromised locations.
“To mitigate threats from third-parties, it is best practice to only enable a vendors' account when access is needed for a business service, and to monitor the account activities at all time,” said Joe Schumacher, security consultant at Neohapsis, via email.
“If the vendor access is through a remote connection, then two factor authentication should be issued for each account the vendor needs to give accountable individuals access for vendor services,” he added.
POS malware has been contained, says DQ CEO
A list with all locations affected by the incident has been provided by Dairy Queen. It reveals that the earliest sign of intrusion was detected on August 1, while the latest end date of the compromise is this Monday, October 6, in 93 of the cases.
At the moment, the malware has been eliminated from the POS systems and shopping at Dairy Queen should be safe, the CEO says.
John Gainor has informed the company that customers whose card details were exposed during the breach are offered one year of free identity protection services, starting Thursday, October 9.