Dairy Queen said Thursday the “Backoff” point-of-sale malware infected systems at 395 of its stores, stealing payment card data.
The company, which has 4,500 independently owned franchises in the U.S., said in a statement it believes the “malware has been contained.” Most of the stores, including one Orange Julius location, were affected for between three weeks to a month starting in early August, according to a list.
“We deeply regret any inconvenience this incident may cause,” wrote CEO and President John Gainor.
The company is the latest one to disclose a data breach due to malicious software. Home Depot and Target disclosed large data breaches that compromised card data. Other companies affected were Neiman Marcus, Michaels, P.F. Chang’s China Bistro and Sally Beauty.
Dairy Queen said its investigation showed that a third-party vendor’s account credentials were used to access the systems at the affected locations. The same style of attack method yielded access to Target’s systems. The vendor was not identified.
The stolen information comprised customer names, payment card numbers and card expiration dates. No customer information, such as Social Security numbers, PINs or email addresses were stolen, it said.
The U.S. Department of Homeland Security and Secret Service warned in August that upwards of 1,000 businesses may be infected by malware such as Backoff on their point-of-sale devices.
Backoff, which first appeared around October 2013, collects payment card data from a computer’s RAM where it briefly sits unencrypted after a card is swiped.