Known for its hot fries and soft-serve ice cream, Dairy Queen just made cyber history as the latest victim of a hack attack. The fast food chain has revealed that customer data at some of its stores may be at risk.
According to Dairy Queen, the possible data breach is connected to the Backoff point-of-sale malware that raked Target through the coals last year. Target recently revealed the breach cost its shareholders $148 million, though there’s no indication that Dairy Queen was hit that hard.
"In addition to communicating with potentially affected franchised locations, credit card processors and credit card companies to gather relevant information, we immediately began cooperating with the authorities investigating this particular malware," Dairy Queen said in a statement. "We continue to communicate with our franchisees and service providers regarding steps necessary to protect customer data and minimize any impact to our customers."
Early Warning Signs
Brian Krebs of Krebs on Security was the first to see hints of the breach. On Aug. 14 he pointed to sources in the financial industry saying they were seeing signs that Dairy Queen may be the latest retail chain to fall victim to a cyberattack.
“I first began hearing reports of a possible card breach at Dairy Queen at least two weeks ago, but could find no corroborating signs of it -- either by lurking in shadowy online ‘card shops’ or from talking with sources in the banking industry,” Krebs said.
“Over the past few days, however, I’ve heard from multiple financial institutions that say they’re dealing with a pattern of fraud on cards that were all recently used at various Dairy Queen locations in several states," he added. "There are also indications that these same cards are being sold in the cybercrime underground.”
Protecting the End Points
We turned to Mike Davis, CTO at real-time endpoint threat protection firm CounterTack, to get his insights on the Dairy Queen breach. He told us the fact that franchisees are not required to tell the franchisor about security breaches illustrates how breach notification processes are weak not just in retail but in most industries.
“The franchisor brand is effected when a franchisee causes a security breach,” Davis said. “Franchisors should start requiring security controls of their franchisees above those required by PCI and third parties the franchisee may work with. The franchisor's brand could be destroyed easily without better controls in place for franchisees.”
What’s more, without real-time insight into what processes and activities are occurring on franchisee point-of-sale systems, the time between a breach being detected and a security team knowing the impact is too great, Davis said.
“With ups and now downs, it seems the media knew about the impact of a breach before the companies did, and that is a real problem that can only be addressed by utilizing endpoint threat detection and response technology to know exactly what happened on what endpoints during an attack," he added.