Berkshire Hathaway subsidiary Dairy Queen announced on Thursday that a security breach involving customers’ payment card data has occurred at 395 of its restaurants across the United States.
The chain of soft serve and fast food restaurants blames a malware called Backoff for accessing systems through a third-party vendor’s account credentials which had been compromised. The same method of attack had been used to hack into Target’s systems.
Dairy Queen assures that the malware has now been contained.
Malware, short for malicious software, is any type of software created to disrupt a computer operation, gather sensitive data, or hack into private computer systems.
The malware gained access into customer’s names, card numbers, and card expiration dates.
According to Dairy Queen, the hacking occurred between August and October, but spanned different periods depending on the restaurant. Most outlets were affected for between three weeks to one month.
The Department of Homeland Security says the “Backoff” malware has penetrated several computer systems across America.
The company says it is offering a free identity repair service for anybody who used a debit or credit card at one of the restaurants where the malware gained access. The free service will be available for one year.
There is no evidence that email addresses, card PIN numbers or Social Security numbers were accessed, Dairy Queen added.
CEO and President John Gainor wrote:
“We deeply regret any inconvenience this incident may cause. Our customers are our top priority and we are committed to working with our franchise owners to address the issue.”
US authorities concerned at spread of “Backoff”
The Department of Homeland Security’s Computer Emergency Readiness Team warned about Backoff in August 2014. It directed its warning mainly at retailers across the United States. However, banks are also vulnerable to the malware.
The Team wrote in August:
“Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected.”
According to the Identity Theft Resource Center, there have been 568 data breaches in 2014 involving over 75 million records.