News Feature | October 14, 2014

Dairy Queen Confirms Data Breach

Christine Kern

By Christine Kern, contributing writer

Data Breach Reporting Requirements

Dairy Queen and Sears Join Long List of Victims of Malware Attacks

Dairy Queen’s earlier reported data breach has been confirmed by the company, according to Forbes Magazine.  It joins nearly a dozen retailers — including Sear’s, Target, Sally Beauty, Neiman Marcus, the United Parcel Service, Michaels, Albertsons, SuperValu, P.F. Chang’s and Home Depot — that have had their in-store payment systems compromised with malware over the last year.

According to the Bits blog on the New York Times website, the secret service has estimated that at least 1,000 American merchants were hit by the malware attacks this summer, perhaps without even knowing they had been breached.  No arrests have been made to date in any of the incidents.

The breach affected 395 Dairy Queen stores and one Orange Julius location, across 46 states, and was caused by the “Backoff” malware that has targeted other U.S. retailers.  The breach may have accessed customer names, payment card numbers, and expiration dates, though the company assured that the malware has been contained. To date, there is no evidence that personal information, debit card PINs, email addresses or Social Security numbers were compromised in the attacks. 

The company has provided a list of affected locations.

Kmart, a subsidiary of Sears, has also announced recently that it had been breached and has cooperated with law enforcement officials and a forensics team to investigate the matter. The breach appears to have occurred in early September, and malware was detected on some of its in-store payment systems. The malware, similar to that use in other recent attacks, was meant to evade antivirus systems.

Sears said it would offer free credit-monitoring services to any customer who had used a credit or debit card at any of its affected store locations. Dairy Queen said it would offer free identity repair services for one year to affected customers.

Recent research from the Ponemon Institute and DB Networks has suggested that merchants are not prepared to fend off such malware attacks, and only one-third of experts said they did the kind of continuous database monitoring needed to identify irregular activity in their databases, while another 22 percent acknowledged that they did no scanning at all.