A significant number of Chipotle Mexican Grill Inc. restaurants across the US have been affected by a short lived computer data breach, and this was initially reported by the company back in April.
Chris Arnold, the company’s spokesman, said in an email that most, but not all of their locations may have been involved. He also said that the locations were affected for varying amounts of time.
According to reports, aside from Chipotle, the breach also affected Pizzeria Locale, which is a concept developed by the Chipotle group. The nationwide computer data breaches took place between March 24 and April 18 of this year and as a result, the credit card information of their customers who made transactions on the covered period may have been intercepted. Some of the important information are customer payment data which include the cardholder’s name, card number, and the card’s expiration date.
Unfortunately, the stolen data include account numbers as well as verification codes, which can potentially be used to clone credit cards or drain debit card accounts. That is why Chipotle and credit card companies encourage customers to quickly check their accounts just to be sure that nothing suspicious is going on. If there are any suspicious activity and unexplained expenses on their account, it needs to be reported to the card issuer immediately.
The good news is that, according to Chipotle, they have already removed the problem software and that they are continuing to resolve other related security issues. They have also set up a website which contains the details on the breach as well as useful information for their consumers who may have a lot of concerns and inquiries.
The site includes the list of the restaurant branches across the United States that have been affected by the data breach. The information published are not just for the Chipotle customers, but for the Pizzeria Locale customers as well.
Based on the investigation conducted by the company, they were able to identify a malware that was designed to access the credit card information of customers who used their cards on point-of-sale or POS devices at the affected Chipotle and Pizzeria Locale restaurants.
The said malware searched for track data, which contains the information that was mentioned earlier, and once acquired, these information are then sold on the black market.
Per Chipotle, the malware has already been removed, but they continue to work with cyber security firms so that they can assess their current security measures and come up with ways on how they can be enhanced even further. The company also said that they “continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”
The Impact of the Nationwide Computer Data Breach
Because of the unfortunate incident, it was found out that Chipotle refused to upgrade their chip readers back in 2015. As reported in the investigation, the malware that was used in the attack was able to steal the data of the cardholders through the magnetic strips of their payment cards.
Although it is not really clear whether chipped payment cards would have been susceptible and vulnerable to the hacking incident, it was noted that Chipotle declined to use them in 2015. The refusal was due to the inefficiencies caused by the delays in the authentication process and that was not advisable in a fast paced food service business.
As expected, the data breach could mean big trouble for the shares of the Mexican restaurant. It does not help that Chipotle has just partially recovered from a controversy that it was involved in during the latter part of 2015.
The said controversy involved a series of outbreaks wherein their customers in California got sick from a norovirus. Then, their customers in Wahington and Oregon also got sick from E.coli. It did not stop there because some of their customers in Boston also got sick, again from a norovirus strain.
Going back to the breach, security analysts say that there is a big possibility that Chipotle will face a fine based on the size of the breach and the number of customer information that was compromised.
According to Julie Conroy, research director at Aite Group, the data breach meant that Chipotle was somewhere out of compliance. Moreover, the card companies may also fine Chipotle and hold them liable for any fraud that is a direct result of their data breach. This was according to Avivah Litan, vice president at Gartner Inc (IT.N), specializing in security and privacy.