[BreachExchange] Chipotle Warns Customers of Possible Credit Card Breach

Inga Goddijn inga at riskbasedsecurity.com
Thu Apr 27 09:30:48 EDT 2017


http://www.eater.com/2017/4/26/15433866/chipotle-data-breach-credit-cards

As Chipotle continues to try to climb out of a massive sales slump
<http://www.eater.com/2017/2/3/14496440/chipotle-q4-2016-results> triggered
by a string of high-profile food safety disasters
<http://www.eater.com/2015/11/4/9668984/chipotle-e-coli-public-health-disaster>,
it’s suddenly got a new pain point: a potential credit card breach.

The burrito chain relayed the bad news to customers on Tuesday via a post
on its website <https://chipotle.com/security>, explaining that it recently
discovered unauthorized activity on its payment processing network.
Translation: If you used a credit or debit card to pay for a burrito
between late March and mid-April, it’s possible hackers may have stolen
your card info. Chipotle is still investigating the breach, but in the
meantime, best check your bank statements.

Though the news comes at a tough time for the company — Chipotle’s profits
plummeted by 95 percent in 2016, a hole it’s currently attempting to get
out of with new menu items
<http://www.eater.com/2016/6/29/12058884/chipotle-chorizo-rollout> and new
and improved tortillas
<http://www.eater.com/2017/3/28/15071988/chipotle-new-tortilla> — it’s
certainly not the only big chain to face similar woes recently: Arby’s is
currently facing an onslaught of lawsuits
<http://www.eater.com/2017/2/10/14575978/arbys-data-breach-hacked> in the
wake of a massive security breach that’s thought to have compromised the
payment data of more than 350,000 customers.

Below, Chipotle’s full statement on the potential data breach:

We recently detected unauthorized activity on the network that supports
payment processing for purchases made in our restaurants. We immediately
began an investigation with the help of leading cyber security firms, law
enforcement, and our payment processor. We believe actions we have taken
have stopped the unauthorized activity, and we have implemented additional
security enhancements. Our investigation is focused on card transactions in
our restaurants that occurred from March 24, 2017 through April 18, 2017.
Because our investigation is continuing, complete findings are not
available and it is too early to provide further details on the
investigation. We anticipate providing notification to any affected
customers as we get further clarity about the specific timeframes and
restaurant locations that may have been affected.

Consistent with good practices, consumers should closely monitor their
payment card statements. If anyone sees an unauthorized charge, they should
immediately notify the bank that issued the card. Payment card network
rules generally state that cardholders are not responsible for such charges.

• Notice of Data Security Incident <https://chipotle.com/security>
[Chipotle]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170427/0ca6561b/attachment.html>


More information about the BreachExchange mailing list