Known for its delicious frozen treats, the Dairy Queen restaurant chain joins the unenviable group of major retailers that has been hacked.  On October 9, 2014, the same day Kmart announced its data breach, Dairy Queen notified its customers that 394 of its 4,500 franchised stores in 46 states had their payment systems compromised.  Dairy Queen also owns the Orange Julius chain and one of its stand-alone stores was affected, as well.  According to Time magazine, approximately 600,000 cards were accessed by the hackers during this breach.

Unlike Kmart who discovered the breach October 9 and notified its customers the next day, Dairy Queen was aware of the potential breach in August 2014 and said they were investigating it, but didn’t notify its customers until more than a month later.  The Edina, Minn.-based restaurant chain has now provided a list of the affected stores on its website that includes the dates of the breaches – all between August 1 and September 23, 2014.

In August, Dairy Queen launched an investigation to determine the extent of the breach.  They hired external forensic experts and worked with law enforcement authorities and payment card companies to uncover the details.  The investigation found that the breach came through a third-party vendor’s account credentials.  Industry experts are saying it was the company’s point-of-sale hardware vendor.  The hackers used the credentials to access the payment systems remotely to steal the bank card data.  Customer names, credit and debit card numbers, as well as expiration dates were accessed; however, no other personally-identifiable information was compromised according to company officials.

The cyber criminals used the now infamous “Backoff” malware software that was also the source of the Kmart breach, among others. This is the same malicious software that the Department of Homeland Security warned the public about in August 2014 advising that more than 1,000 U.S. businesses had experienced data breaches as a result.

Dairy Queen recommends individuals who think their cards may have been affected to check their payment card statements for any unusual activity during the August through September timeframe and immediately report it to their payment card company.  Like the other companies who have experienced similar breaches, Dairy Queen is offering identity repair services to affected customers for one year, at no cost.

These data breaches need to be taken seriously by organizations of all shapes and sizes, not just large retailers.  Any organization with mission-critical or customer data is subject to their systems and data being the target of cyber criminals.  They must take the necessary steps to ensure their data and systems are fully protected.  In addition to ensuring their antivirus software is up-to-date and they have robust firewalls and authorization policies in place, many organizations are hiring “white hat” hackers who spend their days making attempts at penetrating their own organization’s computer systems.  It also makes sense to invest in safeguards to ensure the software that is being developed internally or purchased does not have weaknesses that would make it vulnerable to such breaches.