Chipotle has announced that a data breach affected most of its restaurants, and hackers used malware to steal customers' credit/debit card information.
The food chain revealed on Friday, May 26, that malware hit its sales system between March 24 and April 18. Chipotle further mentioned that the data breach occurred on April 25, a week after the malware ended.
Hackers obtained the credit card information of many Chipotle customers and, in some cases, also the customers' names.
Chipotle Hack Compromised Customers' Credit Card Info
Chipotle explains that the malware was designed to get track data, which contains the card number, expiration date, verification code, and sometimes the name of the cardholder as well. The hack basically stole these track data transmitted through a card's magnetic stripe when routed through a POS.
"Customers that used a payment card at an affected location during its at-risk time frame should remain vigilant to the possibility of fraud by reviewing their payment card statements for any unauthorized activity," highlights Chipotle.
If customers notice any unauthorized charges, they should immediately report them to their credit card issuers. Cardholders are typically not liable for unauthorized charges provided they report them in due time.
Hackers breached a slew of Chipotle and Pizzeria Locales across the United States in Kansas, Colorado, Ohio, and Missouri. The company says it has not yet found each affected location, but customers can check whether the Chipotle or Pizzeria Locale they visited has been affected.
Both Chipotle and Pizzeria Locale have already removed the malware and are currently working with law enforcement, credit card networks, and cybersecurity companies to find solutions to enhance its security and prevent such an incident form reoccurring in the future. Chipotle says it saw no indication that the breach affected other customer information.
The food chain did not offer an exact figure for how many restaurants this breach affected but noted that it may have hit most locations nationwide.
Checking with the tools Chipotle provided reveals that every state in which the chain operates had at least a few restaurants affected. This applies to most major cities as well as smaller ones. Moreover, the breach apparently affected restaurants in Canada as well, so it's not limited just to the United States.
Risks For Customers
Hackers could use the stolen card information to drain accounts linked to debit cards, clone credit cards, or make purchases on various online websites with lower security features, says Paul Stephens of Privacy Rights Clearinghouse.
Customers who used a credit or debit card to pay for their meal at Chipotle or Pizzeria Locale between March 24 and April 18 are highly advised to use Chipotle's tools to check whether the restaurant in question was affected and check their transaction logs to see if they incurred any unauthorized charges.
For more information, customers can also call 1-888-738-0534 between 9 a.m. and 9 p.m. EST Monday through Friday, on regular business days. It will be closed for Memorial Day, however, while the schedule during Memorial Day weekend will be from 9 a.m. to 5 p.m.