Cyber Incident Victim: Dairy Queen

In August 2014, Dairy Queen confirmed a breach affecting payment systems at some of its franchised locations following an alert from the US Secret Service. The company disclosed that malware had infected point-of-sale (PoS) systems, potentially compromising customer credit and debit card data. While Dairy Queen did not explicitly name the malware, the article linked the incident to Backoff PoS malware referenced in a Department of Homeland Security advisory, which had impacted over 1,000 businesses in similar attacks. The company stated that only a "limited number of stores" were affected and emphasized that franchisees—not corporate systems—were the target. Dairy Queen notified impacted franchise locations, credit card processors, and card companies to gather incident-related information. No specific figures were provided regarding the number of compromised stores or customers. The disclosure followed reports by security researcher Brian Krebs, who had earlier documented fraud patterns on cards used at six Dairy Queen locations based on alerts from financial institutions.

Dairy Queen’s corporate representative Dean Peters initially stated that individual stores had not received fraud reports when contacted by Krebs prior to the breach confirmation. Peters highlighted the operational structure of the chain, noting that nearly all Dairy Queen outlets were independently owned franchises. This decentralized model complicated breach visibility, as franchisees were not contractually obligated to report security incidents to corporate headquarters. The company’s public statement did not specify detection methods, containment measures, or forensic findings beyond confirming malware involvement. No customer data types beyond payment card information were mentioned, and no geographic scope or timeframe for the breach was disclosed. Financial impacts, legal repercussions, and detailed remediation steps were not addressed in the available reporting.