Dairy Queen announced at the end of last week that nearly 400 of its stores were the victim of a breach.
Does that sound familiar? Yes, as a few people wrote in email messages to me on Friday, Dairy Queen is this week’s “breach of the week.” However, I wrote about a presumed Dairy Queen breach back on Labor Day. Did a second breach occur at the ice cream retailer?
No. This is confirmation of a breach that was reported on six weeks ago. As USA Today reported, the breach occurred sometime between August and September, but something doesn’t sound quite right there. After all, my blog post was published on September 1 and I had known about it for a few days before. And in his Krebs on Security blog, Brian Krebs, who broke the original story, wrote this:
Curiously, Dairy Queen said that it learned about the incident in late August from law enforcement officials. However, when I first reached out to Dairy Queen on Aug. 22 about reports from banking sources that the company was likely the victim of a breach, the company said it had no indication of a card breach at any of its 4,500+ locations. Asked about the apparent discrepancy, Dairy Queen spokesman Dean Peters said that by the time I called the company and inquired about the breach, Dairy Queen’s legal team had indeed already been notified by law enforcement.
So now a lot of news outlets are reporting Dairy Queen as the latest retail breach, caused by weak security at the point of sale, and there seems to be no end in sight. As Andrew Jaquith, CTO and SVP Cloud Strategy with SilverSky, told me in an email:
There’s been a flurry of attacks on retail point-of-sale systems. That is because the techniques for compromising magnetic-stripe POS systems — malware mixed in with your typical phishing exploits — are now well known, and have been shown to work. This formula will be attempted with every large retailer in the U.S. To put this in context, there are over 270 retail and hospitality chains in the U.S. that have more than 1,000 employees. They are all targets. As we approach the end of the year, expect to see a blizzard of retail breaches. While it may seem like cold comfort for Dairy Queen, they will soon be in good company.
The latest to join Dairy Queen is Kmart, so it didn’t take very long for the next point of sale breach to happen.
However, I think the bigger issue in the Dairy Queen breach is that it was first reported in August, and Dairy Queen corporate offices took weeks to confirm it. Where was Dairy Queen’s cybersecurity plan? If franchises are all using the same point of sale systems, why isn’t a breach response plan in place? It is irresponsible that it took this long to give a public statement on a situation that raised speculation weeks ago.
The takeaway for business, then, is this: As point of sale breaches are happening almost weekly at this point, what are system providers doing to alleviate the risks and does your company have a cybersecurity response plan in place?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba