Chipotle completed its investigation into a security breach that took place in the spring, revealing widespread damage that could threaten consumers’ bank accounts and the image of the recovering fast casual brand.
The company told Reuters via email that “most” of its 2,250 or so restaurants were hit by the breach for varying amounts of time between March 24 and April 18. Chipotle doesn’t have an exact count, but is providing a link to affected stores on its website. This also included seven Pizzeria Locales, the brand’s fast casual pizza partnership with Lachlan Mackinnon-Patterson and Bobby Stuckey. The breach affected some Canadian locations as well.
The investigation, Chipotle says, involved leading cyber security firms, law enforcement, and the payment card networks.
“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle and Pizzeria Locale restaurants between March 24, 2017 and April 18, 2017,” Chipotle said in a release. “The malware searched for track data [which sometimes has cardholder name in addition to card number, expiration date, and internal verification code] read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.”
Chipotle announced the breach during its otherwise positive first-quarter earnings in April, which saw comparable restaurant sales jump 17.8 percent year-over-year and revenue grow 28.1 percent to $1.07 billion.
Even though the breach didn’t affect all stores and guests at all times, Chipotle urged consumers who “used a payment card at an affected location during its at-risk time frame should remain vigilant to the possibility of fraud by reviewing their payment card statements for any unauthorized activity. Customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of the payment card.”
Chipotle added that it removed the malware and is continuing to enhance its security by working with cyber security firms. Similar breaches have affected Arby’s, Wendy’s, and full-service chain Shoney’s in past months.
Reuters spoke to security analysts who noted that Chipotle could face a fine based on the “the size of the breach and the number of record compromised.” Also that information stolen could be used to drain debit card-linked bank accounts, and make “clone” credit cards, as well as purchase items from less-secure online sites.