A security breach at popular fast food ice cream chain Dairy Queen may have led to over half a million stolen customer credit cards, the company says.
DQ first acknowledged the breach in late August, though only after cybersecurity journalist Brian Krebs reported the attack. The company didn’t provide an exact number of affected customers, but now says “less than 600,000” credit cards are involved.
Dean Peters, a spokesperson for the chain, told reporters that the data, stolen from 395 store locations in August, includes customer names, card numbers and expiration dates. According to forensic specialists hired by the company, the virus, known as Backoff, was likely deployed after a criminal hacker gained access to its systems through a third-party vendor.
(Click here to see if a store location you’ve visited was affected.)
Backoff is malware that remains largely undetected by antivirus software, despite being discovered months ago. According to the Secret Service, over 1,000 U.S. business may have been affected this year. As many as seven point-of-sale (PoS) systems providers have reported clients among the known victims. In other words, the more than half a million possible Dairy Queen victims is still just a drop in the bucket for the criminals currently using Backoff.
There are a number of precautions retailers can take to mitigate the risk of being infected with the virus. The U.S. Computer Emergency Readiness Team (CERT) recommends limiting the number of users able to login to PoS systems that use a remote desktop application, and to require two-factor authentication to log in.
There are several variations of the Backoff software, which have been documented at least as far back as Oct 2013. However, all variations essentially maintain the same functionality: the ability to scrape credit card track data, log keystrokes, and then send that information back to whoever’s controlling the malware.
At the very least, the U.S. government appears to be taking the threat posed by Backoff seriously. Organizations that believe they’ve been breached are asked to contact their local Secret Service field office.