Chipotle Food Chain Announces Large-Scale Data Breach

All you wanted was a burrito, but you may have gotten a side of data breach.

Don’t be misled into thinking it’s because data breaches aren’t occurring, but admittedly other forms of attack like ransomware and the theft of complete identities are somewhat “flashier” news. Just because hackers have found creative new ways to steal funds and identifying information, though, that doesn’t mean thieves aren’t going to try to make a quick buck off your credit card or debit card information.

Like many other major retail data breaches in the past, fast food chain Chipotle has announced that its point-of-sale (POS) system was infected with malware at multiple locations. The POS system is the “swiper” mechanism where you pay with your card, and hackers have targeted these machines for quite some time. The goal is to steal payment credentials, then either uses them or sell them before the credit card companies suspect the fraud and shut down the accounts.

Also like many other retail breaches, Chipotle is still uncovering the scope of the damage. The first announcement came April 25th, alerting consumers and the authorities to the breach. Later on, they discovered that the initial breach may have extended to locations in as many as 47 states. Further investigations found the malware that infected the system took hold on March 24th, and the breach of information continued through April 18th.

One of the good things about Chipotle’s situation is the restaurant chain does not maintain customer information databases, which means the hackers didn’t get their hands on even more information. However, it also means that Chipotle has no way of contacting possible victims to inform them.

As such, it’s up to the customers to go to the website and search for their location. Anyone who suspects that their payment information was compromised should contact their financial institution directly and speak with a customer service representative.

One of the many takeaways for the stakeholders in this event is that the new “chip cards,” while not a foolproof solution, could certainly have minimized the damage. Adoption of the chip system for POS is not as rapid or widespread as security experts had hoped, and consumers are starting to question why they were issued new cards if merchants are not following through with updates to their payment systems. It’s important to remember that “swiping” a chip card can still leave it vulnerable to this kind of data breach since the information is retrieved from the magnetic stripe rather than the embedded microchip.

However, be warned: if your chip credit card is hacked because the merchant hasn’t updated the POS system, the merchant is the one responsible for any fraudulent charges rather than your financial institution. That can be problematic in a multi-victim breach, especially if the merchant can’t or won’t cover those charges. If you have any concerns about the merchant’s ability to protect you from fraud, you might consider paying with cash rather than swiping your chip card.

Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Don’t Let that Fender Bender Lead to Identity Theft  

Pin It

Article Archives


ITRC Sponsors and Supporters 





Go to top