Dairy Queen says 395 stores hit by August cyberattacks

International Dairy Queen Inc. said computers at 395 of its 4,500 U.S. locations were infected for a period of time with malware that may have compromised some customer information.

Eighteen stores in Minnesota were affected, most for the better part of August, according to the company.

Edina-based Dairy Queen made the announcement after more than a month of investigation into possible malware attacks. The company said it worked closely with franchisees, law enforcement officials and the brands of payment cards affected by the cyberattacks to determine the nature and extent of the breach.

"The time periods during which the Backoff malware was present … vary by locations," a Dairy Queen release said.

The hacked computer systems contained the names of payment card customers, as well as card numbers and expiration dates. The company says it has no evidence that Social Security numbers or personal identification numbers were stolen.

Dairy Queen spokesman Dean Peters said the company does not collect that information from payment card customers when they make a purchase. The names, card numbers and expiration dates that are collected are encrypted immediately, Peters added.

According to the company, the cyber breach came as the result of a third-party vendor's computer credentials being hacked and used to enter the Dairy Queen system. That scenario is similar to the way cyber thieves gained access to financial information for about 70 million Target Corp. customers last year.

Thursday's news came after Dairy Queen made a general announcement of the cyber breach in August. Since then, outside forensic experts worked with company personnel to determine specifics.

The company has offered "free identity repair services for one year to customers in the U.S. who used their payment card at one of the impacted locations during the relevant time period."

It also advised customers to get a free credit check and report any irregularities with their payment card accounts.

Details of which stores were affected can be accessed at www.dq.com/datasecurityincident.

Both United Parcel Service and Supervalu appear to have been hit by the same Backoff bug, which burrows into retail point-of-sale computer systems.

Eden Prairie-based Supervalu warned on Aug. 16 that hackers had breached its computer systems, which contained customer information from 1,016 grocery and liquor stores around the country, including 60 outlets in Minnesota. Supervalu, which owns the Cub Foods chain, said its computers were hacked between June 22 and July 17.

Minneapolis-based Target Corp. fell prey to a huge data breach during the 2013 holiday shopping period. It exposed the financial and personal data of 70 million customers, costing the retailer around $150 million so far.

Michaels Stores, Neiman Marcus and P.F. Chang's are among other large national retailers hit by cyberthieves in recent months.

Jim Spencer • 1-202-383-6123