American ice cream chain Dairy Queen has confirmed that the Backoff malware was responsible for the impact upon payment card data.
In a statement, Dairy Queen said that nearly 400 US restaurants were affected, and that systems were accessed due to a “third-party vendor’s compromised account credentials.”
The statement, posted on the front page and signed by president and CEO John Gainor, said that after the intrusion was detected in August, it launched an extensive investigation with external forensic experts and discovered evidence that the systems of some Dairy Queen locations, and one Orange Julius location, were infected with the Backoff malware.
He said: “The Backoff malware was present on systems at a small percentage of locations in the US. The time periods during which the Backoff malware was present on the affected systems vary by location.
“The affected systems contained customers’ names, payment card numbers and expiration dates. We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection. Based on our investigation, we are confident that this malware has been contained.”
He said that customers are being notified and as nearly all Dairy Queen and Orange Julius locations are independently owned and operated, it has worked closely with affected franchise owners, as well as law enforcement authorities and the payment card brands, to assess the nature and scope of the issue.
“We deeply regret any inconvenience this incident may cause,” he said. “Our customers are our top priority and we are committed to working with our franchise owners to address the issue.”
It said that the investigation has confirmed that the issue is associated with the widely-reported Backoff malware targeting retailers across the country. The US computer emergency readiness team (US CERT) issued an alert after the Secret Service responded to network intrusions at numerous businesses throughout the United States who had been impacted by the Backoff malware.
A point of sale malware family variants have been seen as far back as October 2013 and the malware typically has the ability to: scrape memory for track data; log keystrokes; communicate via command and control; and injecting a malicious stub into explorer.exe, which is responsible for persistence in the event the malicious executable crashes or is forcefully stopped.
Mark Bower, vice president, product management and solutions architecture for Voltage Security, said: “The only realistic way to avoid this malware driven breach is to avoid the card and track data being present in live form in memory and storage in the retail processing systems and Point of Sale (POS). Leading merchants today are achieving success with this approach using the latest encryption technology.
“Encrypting data in the card reader device the instant it is read with format-preserving encryption techniques enables the protected track and card data to flow completely protected through the POS to the secure processing host, ideally at the acquirer or within an isolated processing sy
stem. Only the host can decrypt, and if the malware steals the data from the POS either remotely or directly, it gets nothing of meaning or value.”