International Dairy Queen Inc. confirmed Thursday that customer payment card data was breached at 395 Dairy Queen units and one Orange Julius location.
Edina, Minn.-based Dairy Queen said the breach occurred between Aug. 1 and Oct. 6, affecting units in 46 states and involving the so-called “Backoff” malware that has targeted other U.S. retailers.
John Gainor, Dairy Queen’s president and chief executive, wrote in a letter to customers: “Because nearly all DQ and Orange Julius locations are independently owned and operated, the company worked closely with affected franchise owners, as well as law enforcement authorities and the payment card brands, to assess the nature and scope of the issue.”
Dairy Queen has roughly 4,500 restaurants in the United States.
Gainor said the investigation found a third-party vendor’s compromised account credentials were used to access systems at some locations. The company has provided a list of affected locations.
Dairy Queen said malware-affected systems contained customers’ names, payment card numbers and expiration dates.
“We have no evidence that other customer personal information, such as Social Security numbers, PINs [personal identification numbers] or email addresses, were compromised as a result of this malware infection,” Gainor said. “Based on our investigation, we are confident that this malware has been contained.”
The company is offering free identity repair services for one year to U.S. customers who used their payment card at one of the impacted DQ locations and the one Orange Julius location affected during the time period that the breach occurred.
Data breaches this year have hit several restaurant companies, including P.F. Chang’s China Bistro and Jimmy John’s, as well as such major retailers as Home Depot, Target and Michael’s.
P.F. Chang’s China Bistro Inc., the Scottsdale, Ariz.-based company that had a data breach between October 2013 and June 11 of this year, offered similar services to patrons affected at 33 units.
The P.F. Chang’s breach resulted in a lawsuit by its insurer, The Travelers Indemnity Co. of Connecticut.
In a suit filed Oct. 2 in U.S. District Court in Connecticut, Travelers Indemnity is asking the federal court to rule that it is not responsible for legal expenses and losses stemming from the P.F. Chang's data breach. The insurer is seeking a declaration that it does not have to defend or indemnify the restaurant chain in class-action lawsuits brought by affected customers.
Last month, Champaign, Ill.-based Jimmy John’s Gourmet Sandwiches said payment card data was breached at about 216 restaurants in 40 states between June and September.
International Dairy Queen Inc., a division of Berkshire Hathaway, is the parent of American Dairy Queen Corporation and Orange Julius of America, which have a total of 6,300 stores in the United States, Canada and 25 other nations.
Contact Ron Ruggless at [email protected].
Follow him on Twitter: @RonRuggless