Data Breaches

Chipotle Data Breach: What You Need to Know

By Steve Symanovich, a Symantec employee

The cybersecurity attack that hit Chipotle Mexican Grill restaurants recently is a reminder that you could be at risk anytime you pay with a credit or debit card.

The Denver-based Mexican restaurant chain disclosed the payment card security breach on April 25, 2017. The company also outlined what you can do to protect yourself from fraudulent charges that could appear on your statements in the future.

On its website, Chipotle said it completed “an investigation that involved leading cybersecurity firms, law enforcement, and the payment card networks.” It reported the findings in a post on the company's website.

No one wants to lose personal information, but consumers are not alone in this type of breach, according to Kevin Haley, director of security response at Symantec.

“The good news is that the credit card companies are very good about discovering stolen cards and shutting them down,” Haley says. “But consumers should  always be watching their bills for suspicious charges. If they suspect a problem, then they should call their credit card company right away. The credit card company will know what to do.”

[Full Disclosure: Symantec is the parent company of LifeLock and Norton brands that sells digital security solutions. This article, however, is educational in nature and not designed to promote any offerings and/or services. Our goal is to inform readers, and empower them to make smart decisions.]

Chipotle data breach by the numbers

Here’s what you need to know about the Chipotle attack.

The breach affected most of its 2,250 Chipotle restaurants nationwide, as well as all seven locations of Pizza Locale, a company affiliate. Chipotle has not said how many customers were affected.

Hackers used malware to access customers’ payment card information at point-of-sale devices between March 24 and April 18, 2017. The thieves stole information contained on the magnetic strip on the back of the payment cards. This information can include names, credit card numbers, expiration dates and security codes.

What does this mean for you? If you used plastic to pay for a meal at a Chipotle restaurant during the hack, your payment information could potentially be used to make fraudulent purchases. Chipotle has launched a tool to help you find out which of its restaurants had data stolen and on what dates. Here’s the link to the tool.

Should you be nervous about grabbing a Chipotle burrito for lunch and paying with plastic? Based on what Chipotle said in its online statement, probably not. The company said it removed the malware from its system during its investigation of the breach.

What to do after a data breach

The restaurant chain has posted information on its website to help you guard against fraudulent activity on your payment accounts. Among its suggestions is something you should keep in mind even if your data hasn’t been stolen: Review your payment card statements to make sure there are no suspicious transactions.

Chipotle’s other suggestions include these:

  • Review your free credit reports for any unauthorized activity. To order your annual free credit report, please visit  http://www.annualcreditreport.com/or call toll-free at 1-877-322-8228.
  • Immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state, if you believe you are the victim of identity theft or have reason to believe your personal information has been misused. You can obtain information from these sources about steps you can take to avoid identity theft as well as information about fraud alerts and security freezes.

Chipotle is working to enhance its security measures, the company said. It has also set up a helpline for its customers. If you think you may have lost your payment information as part of the breach and have a question, you can call this toll free number: 1-888-738-0534.

Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.

Start your protection,
enroll in minutes.