Dairy Queen is working with federal authorities to investigate “suspicious activity” linked to credit cards and debit cards used at some of its restaurants, the company confirmed Thursday.
The Minneapolis-based quick-service operator said it was alerted to the possible data breach by the U.S. Secret Service, which investigates such criminal activity. The possible data breach, linked to malicious software, or malware, was first reported Tuesday by KrebsOnSecurity.
“We, like many other companies, were recently notified that customer data at a limited number of stores may be at risk, due to the widespread proliferation of the ‘Backoff’ malware,” Dean A. Peters, associate vice president of communications for American Dairy Queen Corp., said Thursday.
The Backoff malware was linked to the data theft late last year at retail department store Target Corp., which involved about 40 million compromised credit cards and debit cards. Michaels Stores and Neiman Marcus were also affected.
“In addition to communicating with potentially affected franchised locations, credit card processors and credit card companies to gather relevant information, we immediately began cooperating with the authorities investigating this particular malware,” Peters said in an emailed statement. “We continue to communicate with our franchisees and service providers regarding steps necessary to protect customer data and minimize any impact to our customers.”
The company was unsure if or how widespread any data breach might have been, he noted.
“The protection of customer data is a top priority for us and our franchisees, and we take it seriously,” Peters said.
Brian Krebs, whose website has become the go-to place for rumors on credit card breaches, said he first heard reports of problems at Dairy Queen two weeks ago.
“Over the past few days, however, I’ve heard from multiple financial institutions that say they’re dealing with a pattern of fraud on cards that were all recently used at various Dairy Queen locations in several states,” he said. “There are also indications that these same cards are being sold in the cybercrime underground.”
A credit union in the Midwest reported detecting some fraud in several states.
“According to the credit union, more than 50 customers had been victimized by a blizzard of card fraud just in the past few days alone after using their credit and debit cards at Dairy Queen locations — some as far away as Florida — and the pattern of fraud suggests the DQ stores were compromised at least as far back as early June 2014,” Krebs reported.
Krebs noted that the fraud-related cards were used at Dairy Queen locations in Florida, Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee and Texas.
Krebs said the Dairy Queen reports were similar to earlier ones, still unconfirmed, traced to dozens of Jimmy John’s locations.
“Jimmy John’s has said it is investigating the breach claims, but so far it has not confirmed reports of card breaches at any of its 1,900-plus stores nationwide,” Krebs noted.
Last week, the U.S. Department of Homeland Security said that more than 1,000 U.S. retailers could be stricken with Backoff malware, which has also been linked to incidents at United Parcel Service and Supervalu.
In August, Scottsdale, Ariz.-based P.F. Chang’s China Bistro Inc. said credit card data might have been stolen from 33 of its full-service domestic Bistro restaurants between Oct. 19, 2013, and June 11, 2014.
Chang’s returned to manual-imprint credit card readers after the discovery in June. By Aug. 4, the company said the security compromise had been contained.
American Dairy Queen Corp. owns and franchises more than 6,300 Dairy Queen units in the United States, Canada and 25 other countries. ADQ is part of the Berkshire Hathaway family of companies, led by investor Warren Buffett.
Contact Ron Ruggless at [email protected]
Follow him on Twitter: @RonRuggless