Chipotle Mexican Grill confirms malware involving point-of-sale devices at certain restaurants

Chipotle Mexican Grill, Inc. has confirmed “the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle and Pizzeria Locale restaurants between March 24, 2017 and April 18, 2017.”

Chipotle said in a press release on Friday that the released information comes at the completion of an investigation that involved cybersecurity firms, law enforcement and payment card networks. The restaurant company previously reported about the payment card security incident on April 25.

According to the release, the investigation found that malware searched for track data (which sometimes has cardholder name, in addition to card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. “There is no indication that other customer information was affected,” Chipotle added. Lists of affected Chipotle and Pizzeria Locale (an affiliated company of Chipotle) restaurant locations and specific timeframes are available at www.chipotle.com/security and www.pizzerialocale.com/security. Not all locations were involved and the specific time frames vary by location.

A statement from Pizzeria Locale indicates that restaurants in Denver, Colo., Overland Park, Kan., Kansas City, Mo., Cincinnati, Ohio and Mason, Ohio were affected between March 27 and April 18.

Although neither company identified how many customers were affected, Reuters said that “a handful of Canadian restaurants” were also hit in the breach that affected “most of its roughly 2,520 restaurants.”

Both Chipotle and Pizzeria Locale said that customers that used a payment card at an affected location during its at-risk timeframe “should remain vigilant to the possibility of fraud by reviewing their payment card statements for any unauthorized activity.” Customers should immediately report any unauthorized charges to their card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of the payment card, the Chipotle release added.

During the investigation, Chipotle removed the malware and continues to work with cybersecurity firms to evaluate ways to enhance its security measures. In addition, Chipotle continues to support law enforcement’s investigation and is working with the payment card networks so that the banks that issue payment cards can be made aware and “initiate heightened monitoring,” the release said.