After a month of speculation and investigation, restaurant chain International Dairy Queen officially confirmed on Oct. 9 that its stores had been the victim of a data breach.
International Dairy Queen has both the Dairy Queen ice cream chain and Orange Julius beverage locations as part of its organization, and both types of restaurants were affected by the data breach. In total, Dairy Queen has published a list of 395 of its stores across the United States that were impacted by the breach.
On the list, Dairy Queen details the start and end dates of the data breach, which occurred for varying lengths of time in August.
Dairy Queen’s investigation into the incident has identified the root cause and the malware that is involved in the breach.
“As a result of our investigation, we discovered evidence that the systems of some DQ locations and one Orange Julius location were infected with the widely-reported Backoff malware that is targeting retailers across the country,” John Gainor, president and CEO of Dairy Queen, wrote in a letter to customers. “The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at those locations.”
Backoff malware is typically injected by way of remote access into a vulnerable point-of-sale (POS) system, which appears to be what happened in the Dairy Queen incident.
The Dairy Queen breach is similar to the recently confirmed breach at Goodwill, in that a compromised third-party vendor is being blamed. The Goodwill data breach impacted up to 868,000 credit cards and 330 stores. Goodwill, however, has claimed that its stores were not breached by Backoff malware, but rather by malware known as rawpos.
Dairy Queen now joins an increasingly growing list of retailers that have publicly confirmed data breaches in 2014, including Home Depot, SuperValu, P.F.Chang’s, Target and Michaels.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.