Chipotle customers targeted by companywide data breach

Kramer Phillips By Kramer Phillips | 4 years ago

Hackers breached Chipotle’s internal systems and stole customer payment data from most of the company’s restaurant chains over a period of three weeks earlier this year, the company said on Friday. Chris Arnold, a company spokesman, said in an email that the company has yet to determine exactly how many customers may have been compromised.

These data breaches all occurred between March 24 and April 18, pilfering individual Chipotle chains individually and for varying lengths of time. The hackers used a malware program to carry out the attack and in the process acquired customer account numbers and internal verification codes, data that they could use to steal funds from debit-card-linked bank accounts, make unauthorized online purchases using the customers’ debit cards, or open new credit cards in the customers’ names.

Chipotle said that it has cleared the malware from its systems since then. It did not personally notify affected customers, according to Arnold, because the company does not collect and store customers’ names and addresses at the time of purchase.

The revelation threatens Chipotle’s sales, which previously took a dip in 2015 when hundreds of customers contracted foodborne infections, including E. coli, salmonella, and norovirus. The company may also be punished with civil fines for having allowed customer data to be so compromised, security analysts told Reuters.

“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, said Julie Conroy, research director at Aite Group, a research and advisory firm.