Dairy Queen’s 4,500 franchised stores appear to be the source of the latest payment-card breach, according to Krebs on Security. The Minneapolis-based fast-food chain said it hasn’t heard any breach reports — but it also doesn’t ask franchisees to report breaches to headquarters.
However, several financial institutions now say they’re dealing with a pattern of fraud on cards that were all recently used at Dairy Queen locations in several states, including Florida, Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee and Texas. Rumors of a DQ breach have been circulating for more than two weeks, and the breaches may date from as long ago as June 2014.
But most Dairy Queen stores are franchised, and there’s no requirement for franchisees to notify the company in the event of a card breach. “We would assist them if [franchisees] reached out to us about a breach, but so far we have not heard from any of our franchisees that they have had any kind of breach,” said Dean Peters, DQ’s director of communications.
The probable DQ breach resembles recent card thefts at sandwich-shop chain Jimmy John’s and UPS Stores, both of which have many franchisee-owned locations. In recent cases, cyberthieves have been scanning networks for point-of-sale systems with remote access capabilities and weak or default passwords. The thieves then break in, install malware on POS devices and proceed to steal card numbers, according to a recent Department of Homeland Security/Secret Service advisory.