Chipotle restaurants have been hit by a major nationwide data breach of hits payments systems. The restaurant chain was infected with malware that stole customer payment data from March 24th-April 18th. According to the company hackers have stolen customer payment data from nearly all of its 2,250 restaurants. The stolen data includes account numbers and internal verification codes that could be used to drain customers debit card accounts or clone their credit cards. Chipotle didn’t reveal the details of the attack or affected locations until Friday, May 26th.
The number of restaurants locations attacked includes many major U.S. cities. Chipotle spokesman Chris Arnold said that “most, but not all restaurants may have been involved.”
Chipotle’s Blog reported, “During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures.”
Chipotle, working with an unnamed cyber security firm, reported it had completed it’s investigation. Law enforcement and payment card networks were also involved in the investigation. Although the company did not give exact numbers it did say that “many” customer’s payment information was compromised.
According to Chipotle’s security alert the point-of-sale (POS) malware attack went on for three weeks. “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.”
For customers of Chipotle the company has set up a tool to search if their local restaurant was hit by the malware. Check the Chipotle security alert.
Customers of Chipotle are warned to closely monitor their credit card and debit accounts for unusual activity.
