(Reuters) - Ice cream and fast-food restaurant chain Dairy Queen has confirmed a security breach that may have compromised the payment card information of customers at several hundred locations across 46 U.S. states.
Computers at Dairy Queen locations, and one Orange Julius smoothie stores, were infected by the malicious software, Backoff, which has been targeting retailers since it first surfaced a year ago, International Dairy Queen said late on Thursday.
The Edina, Minnesota-based company is a subsidiary of Berkshire Hathaway Inc.
“We are committed to working with and supporting our affected DQ and Orange Julius franchise owners to address this incident,” John Gainor, chief executive of International Dairy Queen, said in a statement.
The malware infected computers at 395 of its more than 4,500 U.S. locations, exposing the names, numbers and expiration dates of customer payment cards, the statement said. There is no indication that other personal information, including card PINs, social security numbers or email addresses were stolen, it said.
International Dairy Queen said it is offering free identity repair services for one year to customers in the United States who made purchases at any of the effected restaurants.
Stores in four states, Rhode Island, Vermont, Hawaii and Louisiana, did not appear to be impacted by the breach, the company said.
The U.S. government has released reports on several types of malicious software that cyber criminals have used to steal payment cards in the wake of last year’s breach on Target Corp, which resulted in the theft of some 40 million card numbers.
Backoff, first identified in October 2013, is capable of scraping computer memory for track data and logging keystrokes, the U.S. Department Of Homeland Security warned retailers in July.
Reporting by Laila Kearney in New York; Editing by Susan Heavey