Chipotle Confirms Data Breach Hit “Most” Restaurant Locations

Image courtesy of Josh Bassett

Chipotle recently made a vague disclosure to investors that its card-payment system had likely been breached by cybercriminals. Now the burrito chain is confirming that this attack affected most Chipotle stores — including its Pizzeria Locale restaurants — for nearly a month.

Chipotle provided details of the attack in a blog post Friday, providing customers with information it gleaned from an investigation of the breach, which occurred between March 24 and April 18.

According to Chipotle, the malware was designed to access payment card data from cards used on the company’s point-of-sale devices, searching for track data — which can include cardholder name, card number, expiration date, and security codes — stored in the cards’ magnetic strips.

“There is no indication that other customer information was affected,” the company said in a statement, noting that it was able to remove the malware during its investigation.

Chipotle says it has been able to narrow down the scope of the hack to certain locations and times during the month-long breach. A list of affected Chipotle restaurant locations and specific time frames is available here.

While the company advised that not all locations were involved, spokesperson Chris Arnold tells CNN that “most” restaurants were affected.

Additionally, Chipotle says that the breach affected all seven locations of affiliated quick serve pizza chain, Pizzeria Locale, which operates in Ohio, Missouri, Kansas, and Colorado.

A majority of the affected Chipotle and Pizzeria Locale restaurants appear to have been infected in the days following March 24, while the breach ended at all affected stores April 18.

Chipotle urges customers to “remain vigilant to the possibility of fraud” by reviewing their credit card statements and reporting any unauthorized charges to their card issuer immediately.

The company says it continues to work with cybersecurity firms to evaluate and enhance its security measure, while also supporting law enforcement’s investigation into the breach.

Customers who have questions regarding the breach can call Chipotle at 888-738-0534.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.