Dairy Queen says a hack across 46 states may have compromised customer data, including names, card numbers and card expiration dates at 395 stores.
The hack affects customers who shopped at Dairy Queen between August and October 2014. According to the company, there is no evidence Social Security numbers, card PIN numbers or email addresses were stolen in the hack.
"International Dairy Queen Inc. today confirmed that the systems of some DQ® locations and one Orange Julius® location in the U.S. had been infected with the widely-reported Backoff malware that is targeting retailers across the country," said the company in a statement.
Backoff is malicious software that has been targeting retailers since it was first uncovered in October 2013. The software essentially can log keystrokes and track data.
The hack includes over 4,500 U.S. locations and it seems as though only four states were not affected, including stores in Hawaii, Louisiana, Rhode Island and Vermont.
"We are committed to working with and supporting our affected DQ and Orange Julius franchise owners to address this incident," said John Gainer, president and CEO of International Dairy Queen.
Owned by Kershire Hathaway Inc., Dairy Queen is offering free identity repair services for one year to U.S. customers who made purchases at the store during the time period in question.
Hacks of major retailers have been rather frequent over the past few years. Last week JPMorgan Chase confirmed that 76 million households and 7 million small businesses were affected in a data breach back in June and July.
Dairy Queen says the hack was the result of a third-party vendor's computer credentials being hacked and then used to enter the system used at Dairy Queen. It is a similar scenario to how Target was hacked and around 70 million customers had their information affected last year.
While the hack is large, the company says that the malware has now been contained and that customers can continue to shop at the store with confidence. The hack was first suggested back in August from a blog, Krebs on Security, which said sources saw signs of a data breach at Dairy Queen.
"Upon learning of the issue, the company conducted an extensive investigation and retained external forensic experts to help determine the facts," continued the company. "Because nearly all DQ and Orange Julius locations are independently owned and operated, the company worked closely with affected franchise owners, as well as law enforcement authorities and the payment card brands, to assess the nature and scope of the issue."
