An investigation into a payment card security incident at Chipotle Mexican Grill has revealed that most of the chain’s 2,000 restaurants were breached and customer information was stolen.
An investigation into the incident, discovered on April 25, revealed that point-of-sale (POS) devices at certain Chipotle restaurants were infected with malware designed to access payment card data, Chipotle said on its web site. The investigation was carried out with the help of cybersecurity firms, law enforcement and payment networks.
From the magnetic stripe of a payment card slid into an infected POS, hackers could obtain cardholder names, expiration dates and even internal verification codes in some cases – all essential information for bad actors looking to access the holder’s funds. It isn’t entirely clear if customers had money stolen, though. However, Chipotle says no other customer information was affected, and that not all locations were involved.
“Most, but not all locations may have been involved,” a Chipotle spokesman told Nation’s Restaurant News.
Customers who believe they could be affected by the attack, which unfolded from March 24 to April 18, are instructed by the restaurant chain to “remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity.” Customers are further told to report any unauthorized charges to their bank. The notice includes a section with additional steps for affected customers to take in case their payment card was affected.
“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures,” the company says. “In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”
Those curious to see the list of affected restaurants, located in all 48 contiguous U.S. states, can use the state selector on Chipotle’s website. California residents are directed to a slightly different notice specific to that area.
Chipotle customers who believe they may have been affected should consider placing a fraud alert on their credit file. The procedure makes it difficult for a third party to get credit in the original cardholder’s name, as it requires additional measures to ensure the customer’s protection. Cardholders should be aware that placing a fraud alert will also delay their ability to obtain credit.