Cyberthieves Attack K-Mart, Dairy Queen

Both Kmart and Dairy Queen have reported potentially major payment card data breaches, with Kmart reporting on Oct. 9 that it discovered a breach from early September.

Both Kmart and Dairy Queen have reported potentially major payment card data breaches, with Kmart reporting on Oct. 9 that it discovered a breach from early September.

“According to the security experts we have been working with, our Kmart store payment data systems were infected with a form of malware that was undetectable by current anti-virus systems,” said a statement from Sears, which owns Kmart. “We were able to quickly remove the malware. However, we believe certain debit and credit card numbers have been compromised. Based on the forensic investigation to date, no personal information, no debit card PIN numbers, no email addresses and no social security numbers were obtained by those criminally responsible. There is also no evidence that kmart.com customers were impacted.”

Dairy Queen’s statement was also issued Oct. 9 and it reported that the ice cream chain “recently learned of a possible malware intrusion that may have affected some payment cards at certain DQ® locations and one Orange Julius® location in the U.S.” and that “as a result of our investigation, we discovered evidence that the systems of some DQ locations and one Orange Julius location were infected with the widely-reported Backoff malware that is targeting retailers across the country.The investigation revealed that a third-party vendor’s compromised account credentials were used to access systems at those locations.”

Dairy Queen said that the malware was found “at a small percentage of locations in the U.S.” and that “the time periods during which the Backoff malware was present on the affected systems vary by location,” which suggested that the viruses were installed manually—one at a time—rather than a coordinated attack with all victims hit at once.

“The affected systems contained customers’ names, payment card numbers and expiration dates. We have no evidence that other customer personal information, such as Social Security numbers, PINs or email addresses, were compromised as a result of this malware infection,” Dairy Queen said. “Based on our investigation, we are confident that this malware has been contained.”