[BreachExchange] Class-action suit filed alleging Chipotle's 'elementary' security, negligence led to data breach

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 22 19:09:41 EDT 2017


Chipotle faces a class-action lawsuit for the potential data breach the
company first reported last month, alleging the company’s willful
negligence and “elementary” security measures led to the breach and is now
costing banks and customers money.

The Denver-based company first reported the possible breach late last
month, saying that credit and debit cards used between March 24 and April
18 of this year may have been compromised by “unauthorized activity” on
company servers.

“Consistent with good practices, consumer should closely monitor their
payment card statements. If anyone sees an unauthorized charge, they should
immediately notify the bank that issued the card,” the company said in its
statement. “Payment card network rules generally state that cardholders are
not responsible for such charges.”

And that statement is exactly what the lawsuit filed May 4 in the U.S.
District Court of Colorado claims is the basis for the suit.

The suit’s class has yet to be certified, but it was filed by New
Hampshire-based Bellwether Community Credit Union on the behalf of all
“credit unions, banks, and other financial institutions” they may have had
to reissue customers’ cards that were compromised in the breach, close
compromised accounts, or remedy any false transactions.

The suit claims that there are more than 100 members of the proposed class,
and that alleged damages exceed $5 million.

Though it’s still unclear how many customers may have been affected in the
alleged breach, the suit claims that the company knew it was putting itself
at risk for further security breaches after a 2004 breach and a handful of
recent ones involving other food-service companies.

“The deficiencies in Chipotle’s security system include a lack of
elementary security measures, which even the most inexperienced IT
professional could identify as problematic,” the suit says.

It claims that the company, which had around 2,250 U.S. locations as of
March 31, failed to upgrade its security after a breach the company says
cost it about $4.3 million between 2004 and 2006.

The suit also cites Chipotle’s February 2017 annual report to the U.S.
Securities and Exchange Commission (SEC), in which the company itself said:

“We may in the future become subject to additional claims for purportedly
fraudulent transactions arising out of the actual or alleged theft of
credit or debit card information, and we may also be subject to lawsuits or
other proceedings in the future relating to these types of incidents …
Consumer perception of our brand could also be negatively affected by these
events, which could further adversely affect our results and prospects.

“The liabilities resulting from any of the foregoing would likely be far
greater than the losses we recorded in connection with the data breach
incident in 2004.”

The suit claims that one of the biggest problems that led to the hacking
was Chipotle’s failure to adhere to credit card companies’ regulations that
required companies to start using chip technology by October 2015.

The chips mask information contained within transactions about credit card
information, unlike the former magnetic strip cards.

But the suit claims that Chipotle stated specifically that it would not
switch over to the chip-only system because it would “slow down customer

By doing so, the company opened itself up to face damages from litigation,
as per the regulations set forth by the card companies that said that any
business not adhering to the October 2015 deadline would “agree to be
liable for damages resulting from any data breaches,” according to the

The suit says that Chipotle has said that 70 percent of its sales involved
a debit or credit card transaction, and estimates that “hundreds of
thousands” of Chipotle customers could have had their private credit and
debit card numbers, and information relating to them, compromised.

Since the burden is on banks to close accounts and reissue new cards, the
suit claims that any bank having to do so because of the Chipotle breach is
damaged by the breach and subject to compensation.

The class, should it be certified, requests damages and injunctive and
declaratory relief on the basis that Chipotle was negligent in its failure
to upgrade its security systems for transactions and data storage.

It asks a judge to issue an injunction forcing Chipotle to adhere to
industry-standard encryption methods, switch to chip-card readers, and
undergo a large audit and subsequent upgrade of its security systems.

A request for comment made to Chipotle had not been returned as of the time
of publishing.

A scheduling conference for the case has been set for July 18 in Denver.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170522/15ca9b12/attachment.html>

More information about the BreachExchange mailing list