For the last three months, hackers had access to customer credit and debit card names, numbers and expiration dates at 395 Dairy Queen stores in the U.S. stores, according to news reports. The hackers installed the same “Backoff” malware on local stores cash registers that was used in a major identity theft at Target earlier this year.
The Department of Homeland Security and the Secret Service are reportedly working together to chase the identity thieves that use Backoff as a point-of-sale malware that remotely exfiltrates “consumer payment data” as if the requester was the corporate data administrator.
DHS cyber cops believe that the malware was first released a year ago October and remained undetected by virtually all anti-malware software until massive customer complaints at Target this spring. DHS has documented that over 1,000 businesses in the U.S. have had customer data compromised, and urges all firms to investigate if they have are infected.
“The Secret Service is contacting impacted businesses, as they are identified, and continues to work with and support those businesses that have been impacted by this [Backoff] malware,” according to a DHS publication.
The KrebsOnSecurity website that first broke the DQ story said that financial institutions in several states, including Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee, and Texas, were dealing with a pattern of fraud from cards used at Dairy Queen,
“At this time, there is no such policy,” a company spokesman told NSN Money. “We would assist them if [any franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees…”.
Julie Conroy, research director at Aite Group, told KrebsOnSecurity that corporations must have a breach notification policy to protect customers and the company’s brand:
This goes back to the eternal challenge with all small merchants. Even with companies like Dairy Queen, where the mother ship is huge, each of the individual establishments are essentially mom-and-pop stores, and a lot of these stores still don’t think they’re a target for this type of fraud. By extension, the mother ship is focused on herding a bunch of cats in the form of thousands of franchisees, and they’re not thinking that all of these stores are targets for cybercriminals and that they should have some sort of company-wide policy about it. In fact, franchised brands that have that sort of policy in place are far more the exception than the rule.
DQ may be the largest hack recently, but identity thieves are hard at work trying to hack other retailers. Sears Holding Co. said late Friday that it recently discovered that point-of-sale registers at its Kmart stores were compromised by similar malicious software that stole customer credit and debit card information. The company says it removed the malware and contained the breach, but that the investigation is ongoing and they are cooperating with federal investigators.
“Yesterday our IT teams detected that our Kmart payment data systems had been breached,” said Chris Brathwaite, spokesman for Sears. “They immediately launched a full investigation working with a leading IT security firm. Our investigation so far indicates that the breach started in early September” according to Krebs.