Chipotle announced late Friday that Hackers used malware to infiltrate Chipotle Mexigan Grill Inc’s ($CMG) payment system over a three week period beginning in late March – stealing sensitive customer banking information, including account numbers and internal verification codes that could be used to drain debit-card linked bank accounts.
The announcement was made following an investigation into an incident first reported on April 25th of “unauthorized activity” detected in some of their Canadian restaurants.
The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device.
No word on how many customers are affected, however Chipotle said most of their 2,250 or so restaurants were hit between March 24th and April 18th. Click here to see the list of affected restaurants by state.
Chipotle refused to upgrade to chip readers in 2015
The malware used in the attack steals data found within the magnetic stripe of payment cards. Although it is not clear if EMV (chipped) payment cards would have been susceptible to the hack, Chipotle notably declined to use them in 2015 – citing inefficiencies caused by delays in the authentication process in a fast paced food service environment.
The breach could mean big trouble for shares of Chipotle, which have only partially recovered from an E.coli outbreak in late 2015. According to Reuters, security analysts say Chipotle will likely face a fine based on the size of the breach and number of records compromised.
“If your data was stolen through a data breach that means you were somewhere out of compliance” with payment industry data security standards, Julie Conroy, research director at Aite Group, a research and advisory firm.
“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” said Avivah Litan, a vice president at Gartner Inc (IT.N) specializing in security and privacy.
It is uncertain if and how Chipotle’s decision not to adopt chipped card payments will factor into fines levied against the company by credit card companies.
Poor $CMG just can’t catch a break!