Dairy Queen may be the latest victim of a data breach. Or not.
As of this writing, questions surround whether or not credit and debit card data has been breached at Dairy Queen. According to Brian Krebs, sources in the financial industry have seen signs of a breach, but Dairy Queen Headquarters is not reporting anything. The reason for the non-announcement is simple, said Krebs:
Dairy Queen says it has no indication of a card breach at any of its thousands of locations, but the company also acknowledges that nearly all stores are franchises and that there is no established company process or requirement that franchisees communicate security issues or card breaches to Dairy Queen headquarters.
Krebs goes on to say that he first heard rumblings about a potential Dairy Queen breach a couple of weeks ago, but when he spoke to officials at Dairy Queen’s main office, they couldn’t confirm anything. It all boils down to the independence of the franchises.
What this story reveals is the tricky relationship among franchises, parent companies and network security. While the parent company may not have control over the franchises, it is the overall brand that suffers. But I also wonder who controls the overall security for the franchise stores. It isn’t a coincidence that multiple stores under one brand are being targeted. If the parent company is the one supplying the security, shouldn’t a breach be known and/or reported? This story raises a number of questions about franchise security that I haven’t thought about before, but hope to find answers to in the near future. But it does appear that serious problems loom for franchises hit by security breaches. As Trey Ford, global security strategist at Rapid7, said in an email to me:
Franchise owners and operators will have a harder time locating malicious software – those equipped to detect, contain, and eradicate miscreants from their systems are the exception, not the rule. The banks and payment brands have sophisticated fraud detection processes – if your business is contacted as a ‘common point of purchase’ for credit card fraud, that is generally a high confidence indication you have a problem.
So, whether a breach occurred or not, it does seem fitting that it is a retail establishment best known for its ice cream treats that brings to a close a strange summer of cybersecurity news and incidents. I’m not sure what this means for the upcoming holiday shopping season, but I expect things could get nasty.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba