Fast food chain Dairy Queen today confirmed a data breach of payment card data at some of its U.S. locations, which include Dairy Queen and Orange Julius stores.
Signs of the breach were reported as early as late August, but the Minnesota-based company had yet to confirm the cyber attack.
CLICK HERE to view a list of impacted stores.
The breach compromised customer names, payment card numbers and card expiration dates for credit and debit cards used at 395, or just less than 9 percent, of Dairy Queen’s U.S. locations in 45 states and Washington, D.C.
Dairy Queen visitors in Kentucky may have been hit the hardest, as there are more than 50 Kentucky locations on the list of affected stores, more than any other state.
It’s unclear if Kentucky has an extraordinary number of Dairy Queens to begin with or if the malware happened to infiltrate a higher share of stores in the state — regardless, there’s a high number of compromised Dairy Queens in Kentucky.
Its neighbor Indiana had the second-highest number of breached stores, with 30.
Dairy Queen confirmed it is one of many victims of the Backoff malware, which is said to have infiltrated hundreds of American retailers. While it’s certainly problematic for consumers to lose control of their payment information — it’s frequently sold on the black market and used to make fake credit cards or fraudulent card-not-present transactions — Dairy Queen’s statement said, “We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection.”
The malware entered store payment systems as early as Aug. 1 and captured payment data through early September, in some cases. The breach dates for specific locations are included on Dairy Queen’s online list of affected stores.
Consumers should monitor their credit and debit card activity for fraudulent transactions — that’s a good habit to practice whether or not you enjoy the occasional Blizzard — and contact their card issuers as soon as they detect unauthorized activity.
“I think if I had a debit card and I shopped at a Dairy Queen in the time frame, I would ask the bank to change my debit card number,” said Adam Levin, identity theft expert and chairman and co-founder of Credit.com.
It’s a similar situation to other breaches consumers have read about, Levin said, and the best way to react is to monitor your card transactions.
Most banks and card issuers allow you to sign up for transaction alerts for free.
Christine DiGangi covers personal finance for Credit.com. Previously, she managed communications for the Society of Professional Journalists, served as a copy editor of The New York Times News Service and worked as a reporter for the Oregonian and the News & Record.