The breach with the so-called Backoff malware affected 395 of more than 4,500 U.S. locations, the unit of Omaha, Nebraska- based Berkshire said today in a statement. The systems contained customer names, and the numbers and expiration dates of their payment cards. Less than 600,000 cards were affected, said Dean Peters, a spokesman for Dairy Queen.
The Backoff software has been used to target more than 1,000 businesses, according to the U.S. Secret Service. Dairy Queen said it will provide identity-repair services for a year to customers of the locations that were struck.
“We are committed to working with and supporting our affected DQ and Orange Julius franchise owners to address this incident,” John Gainor, chief executive officer of Dairy Queen, said in the statement. Almost all Dairy Queen locations are independently owned and operated.
The intruder used the account credentials of a third-party vendor to access computer systems, according to Dairy Queen, which said it hired forensic specialists to review the breach and is confident the malware is contained. The company said there’s no evidence that Social Security or personal identification numbers were taken.
Dairy Queen published a list of hacked stores and the time frame of the each of the attacks, which were concentrated in August and September.
Retailers such as Target Corp. and Home Depot Inc., where customers can buy more expensive items, have been subject to larger incursions. JPMorgan Chase & Co., the largest U.S. bank, last week outlined the scope of a previously disclosed data breach, saying that 76 million households and 7 million small businesses had been affected.