Chipotle Data Breach: What You Need to Know

Chipotle data breach: What you need to know

The cybersecurity attack that hit Chipotle Mexican Grill restaurants recently is a reminder that you could be at risk anytime you pay with a credit or debit card.

The Denver-based Mexican restaurant chain disclosed the payment card security breach on April 25, 2017. The company also outlined what you can do to protect yourself from fraudulent charges that could appear on your statements in the future.

On its website, Chipotle said it completed “an investigation that involved leading cybersecurity firms, law enforcement, and the payment card networks.” It reported the findings in a post on the company's website.

No one wants to lose personal information, but consumers are not alone in this type of breach, according to Kevin Haley, director of security response at Symantec.

“The good news is that the credit card companies are very good about discovering stolen cards and shutting them down,” Haley says. “But consumers should  always be watching their bills for suspicious charges. If they suspect a problem, then they should call their credit card company right away. The credit card company will know what to do.”

[Full Disclosure: Symantec is the parent company of LifeLock and Norton brands that sells digital security solutions. This article, however, is educational in nature and not designed to promote any offerings and/or services. Our goal is to inform readers, and empower them to make smart decisions.]

Chipotle data breach by the numbers

Here’s what you need to know about the Chipotle attack.

The breach affected most of its 2,250 Chipotle restaurants nationwide, as well as all seven locations of Pizza Locale, a company affiliate. Chipotle has not said how many customers were affected.

Hackers used malware to access customers’ payment card information at point-of-sale devices between March 24 and April 18, 2017. The thieves stole information contained on the magnetic strip on the back of the payment cards. This information can include names, credit card numbers, expiration dates and security codes.

What does this mean for you? If you used plastic to pay for a meal at a Chipotle restaurant during the hack, your payment information could potentially be used to make fraudulent purchases. Chipotle has launched a tool to help you find out which of its restaurants had data stolen and on what dates. Here’s the link to the tool.

Should you be nervous about grabbing a Chipotle burrito for lunch and paying with plastic? Based on what Chipotle said in its online statement, probably not. The company said it removed the malware from its system during its investigation of the breach.

What to do after a data breach

The restaurant chain has posted information on its website to help you guard against fraudulent activity on your payment accounts. Among its suggestions is something you should keep in mind even if your data hasn’t been stolen: Review your payment card statements to make sure there are no suspicious transactions.

Chipotle’s other suggestions include these:

  • Review your free credit reports for any unauthorized activity. To order your annual free credit report, please visit  http://www.annualcreditreport.com/or call toll-free at 1-877-322-8228.
  • Immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state, if you believe you are the victim of identity theft or have reason to believe your personal information has been misused. You can obtain information from these sources about steps you can take to avoid identity theft as well as information about fraud alerts and security freezes.

Chipotle is working to enhance its security measures, the company said. It has also set up a helpline for its customers. If you think you may have lost your payment information as part of the breach and have a question, you can call this toll free number: 1-888-738-0534.

Editor’s note: Our articles provide educational information. LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about.

This article contains

    Target Data Breach Victims Could Get Up to $10,000
    Target's massive data breach hit during the 2013 holiday shopping season. The retailer is proposing to offer victims up to $10,000 each in damages.
    March 26, 2015 ·3 Minutes
    Read More
    What to do if your personal information has been compromised (9-step guide)
    It’s a hassle to recover from a data breach. But with the right tools, it’s possible — follow along to learn how.
    March 25, 2024 ·8 min read
    Read More
    What is a data breach and how do I help prevent one?
    A data breach is an incident that exposes confidential or protected information. Learn how to help keep your info safe and read about recent data breaches here.
    July 11, 2023
    Read More
    Yahoo Announces 500 Million Users Impacted by Data Breach
    Yahoo confirmed that at least 500 million user accounts have been exposed in a date breach.
    February 04, 2021 ·3 Minutes
    Read More

    Start your protection,
    enroll in minutes.

    Get discounts, info, protection tips, and more.

    Sign up for promotional emails.