Chipotle Mexican Grill, the popular tex-mex food chain, has confirmed a cybersecurity attack that hit most of its restaurants and allowed hackers to steal credit card information from customers. Hackers installed malware that read a credit card’s magnetic stripe as customers or staff swiped the card to pay for a meal. In general, Chipotle said it did not know how many payment cards or customers were affected by the cyber attack. However, the security breach struck most of its 2,250 restaurants.
The company first acknowledged the massive breach on April 25, 2017. The kind of malware used in the hacking was revealed in a blog post on Friday. The post reported the “finding from the investigation of the payment card security incident.”
CNNMoney asked the popular burrito chain on Sunday about the scale of the attack, spokesman Chris Arnold said that “most, but not all restaurants may have been involved.”
Chipotle restaurants across the U.S. were struck in the chain’s recent data breach, the company reported. The malware was picking up data from cards used on point-of-sale payment devices at Chipotle restaurants for almost a month earlier this year.
The stolen information included customer card number, expiration date, and internal verification code and, potentially, the cardholder name, the company said.
It appeared that Arizona, California, Florida, Illinois, and Texas had the most restaurants affected. Not all locations were involved, and the specific time frames vary by location. A list of affected restaurants was posted on Chipotle’s website. To see if you may have been a victim, check Chipotle’s security blog here.
Chipotle asked customers who had paid by card at the restaurants between March 24, 2017, and April 18, 2017, to check their statements and report any unauthorized activity to their card issuer.
“Payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.”
On Friday, the company provided information on the scope of the cyber attack in a statement after cyber security firms, law enforcement, and the payment card companies completed an investigation, according to CNBC. Chipotle has received a ton of bad press in the last couple of years. The company was just recovering from a host of food-safety issues in 2015 that sickened people across the country.
In multiple incidents, customers fell ill, stores were shut down, and Chipotle sales plunged. In August, 2015, issues began with the Denver-based Chipotle Mexican Grill chain when Minnesota customers were infected with salmonella and nearly 100 more in Southern California came down with norovirus after eating at Chipotle.
In 2015, cases of norovirus and E.coli were reported by Chipotle customers — who later sued the company. In an attempt to make a fresh start, Chipotle closed its nearly 19,000 stores on February 8, 2016, for a nationwide staff meeting to address the controversial food-safety issues.
"Most, but not all restaurants may have been involved," the company said. https://t.co/w0DvMA86KH— CNNMoney (@CNNMoney) May 28, 2017
The hacking incident was first reported by the company on April 25, 2017. Chipotle’s statement said the company would continue to work with cyber security firms to enhance their security measures.
“In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”
According to ABC, a credit union in New Hampshire has filed a class-action suit alleging that Chipotle’s negligent security measures put customers at risk.
Chipotle warned customers to closely monitor their card statements and notify their bank if they see any unauthorized charges.
[Featured Image by Andrew Renneisen/Getty Images]