Chipotle has confirmed that a threat agent (hacker) installed malware, which targeted the company’s point-of-sale systems between March 24th and April 18, 2017. The malware was able to obtain the credit card number, name on the card, expiration date, and internal verification code. The attack pulled the information off the magnetic strip of credit cards used physically in both Chipotle and Pizzeria Locale restaurants, which is also owned by the parent company of Chipotle .
The breach affected most of the company’s locations across the continental United States, but the full scope of the breach has yet to be determined. A Chipotle spokesperson told Engadget that, “Because of the nature of the incident and the type of data involved, we do not know how many unique payment cards may have been involved.” The company has launched a web page to assist customers that used their credit cards in the restaurants between the affected dates. Chipotle has stated that an outside security firm, which it hired to assist in combating the threat, has removed all traces of the malware from the point-of-sale systems.
As with all breaches that effect personally identifiable information (PII), we suggest that you closely monitor your bank account and/or credit card statements to look for fraudulent charges and alert your institution promptly if any are found. The information provided by Chipotle from their web page is useful, but currently the company is still trying to determine the full extent of the breach.
Current List of Affected Restaurants: