It has happened again – another corporate data breach. This time it’s Dairy Queen. The popular ice cream chain announced Thursday that it is the latest target of customer data theft.
Dairy Queen announced in a press release that the credit card systems at numerous locations nationwide, and one Orange Julius location, were infected with the Backoff malware, suspected as the cause of other data breaches at U.S. retailers.
The company found that 395 of its 4,500 locations were affected by the malware. The data breach resulted in the theft of customer names, card numbers and expirations dates, but not the PIN numbers for the credit or debit cards, according to the parent company. For a full list of affected establishments, click here.
“The company has no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, was compromised as a result of this malware infection,” according to a press release posted to the website of the parent company, International Dairy Queen Inc. (http://www.dairyqueen.com/datasecurityincident/press-release/)
Among the affected stores were two area Dairy Queen locations – the DQ Grill and Chill restaurant at 820 Kenhorst Plaza in Kenhorst and the DQ Grill and Chill location at 5710 Perkiomen Ave. in Exeter.
In the press release, “The company previously indicated that it was investigating a possible malware intrusion that may have affected some payment cards used at certain DQ locations in the U.S. Upon learning of the issue, the company conducted an extensive investigation and retained external forensic experts to help determine the facts.”
The company notes that because all its retail locations are independently owned and operated franchises, it had to coordinate the investigation into the breach with numerous individual owners, law enforcement and payment companies to discover the source of the data breach.
“The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at some locations,” the press release states.
The data breach at the Exeter location occurred between Aug. 2 and Aug. 29 of this year, according to the company. The data breach at the Kenhorst location occurred between Aug. 4 and Aug. 29. Both restaurants are owned and operated by Hamid Chaudhry.
Chaudhry said he was notified about the breach in early September, and immediately stopped processing credit card payments online through the cash register. He switched to using a separate system connected through a landline.
“The landline is not fast enough for hackers, so it’s a turn-off for them,” Chaudhry said. He added that once a transaction is completed, it is finished, “No-one can go back into it to look at the information. It would take assistance from the processing company to do that. We can’t access it and neither can hackers.”
Processing the credit cards separately takes a little bit longer, and Chaudhry said it has added about an hour of work for him each night at each location, because the receipts must be reconciled manually.
“The backup works fine. We’ll use it until the vendor comes up with a solution.”
Chaudhry has owned and operated the Kenhorst location for 12 years and the Exeter location for 9 years.
“Credit card theft is this generation’s pick pockets,” he said.
Dairy Queen said it is “confident” that the malware issues have been “contained” and is working with franchise owners to resolve the issue.
Dairy Queen is offering free identity repair services to customers who used a credit or debit card to pay at any of the affected stores during the period when the malware was present. It is also advising customers to check their credit reports and bank statements to be aware of any suspicious activity.
Any customers who may have been affected and who have questions can call 1-855-865-4456, Monday through Saturday from 8 a.m. to 8 p.m. CT.
Email story ideas to drovins@21st-centurymedia.com