Published: February 04, 2021
3 Minutes

Chipotle Data Breach: What You Need to Know


Steve Symanovich

Staff writer

+ More
Chipotle data breach: What you need to know

The cybersecurity attack that hit Chipotle Mexican Grill restaurants recently is a reminder that you could be at risk anytime you pay with a credit or debit card.

The Denver-based Mexican restaurant chain disclosed the payment card security breach on April 25, 2017. The company also outlined what you can do to protect yourself from fraudulent charges that could appear on your statements in the future.

On its website, Chipotle said it completed “an investigation that involved leading cybersecurity firms, law enforcement, and the payment card networks.” It reported the findings in a post on the company's website.

No one wants to lose personal information, but consumers are not alone in this type of breach, according to Kevin Haley, director of security response at Symantec.

“The good news is that the credit card companies are very good about discovering stolen cards and shutting them down,” Haley says. “But consumers should  always be watching their bills for suspicious charges. If they suspect a problem, then they should call their credit card company right away. The credit card company will know what to do.”

[Full Disclosure: Symantec is the parent company of LifeLock and Norton brands that sells digital security solutions. This article, however, is educational in nature and not designed to promote any offerings and/or services. Our goal is to inform readers, and empower them to make smart decisions.]

Chipotle data breach by the numbers

Here’s what you need to know about the Chipotle attack.

The breach affected most of its 2,250 Chipotle restaurants nationwide, as well as all seven locations of Pizza Locale, a company affiliate. Chipotle has not said how many customers were affected.

Hackers used malware to access customers’ payment card information at point-of-sale devices between March 24 and April 18, 2017. The thieves stole information contained on the magnetic strip on the back of the payment cards. This information can include names, credit card numbers, expiration dates and security codes.

What does this mean for you? If you used plastic to pay for a meal at a Chipotle restaurant during the hack, your payment information could potentially be used to make fraudulent purchases. Chipotle has launched a tool to help you find out which of its restaurants had data stolen and on what dates. Here’s the link to the tool.

Should you be nervous about grabbing a Chipotle burrito for lunch and paying with plastic? Based on what Chipotle said in its online statement, probably not. The company said it removed the malware from its system during its investigation of the breach.

What to do after a data breach

The restaurant chain has posted information on its website to help you guard against fraudulent activity on your payment accounts. Among its suggestions is something you should keep in mind even if your data hasn’t been stolen: Review your payment card statements to make sure there are no suspicious transactions.

Chipotle’s other suggestions include these:

  • Review your free credit reports for any unauthorized activity. To order your annual free credit report, please visit call toll-free at 1-877-322-8228.
  • Immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state, if you believe you are the victim of identity theft or have reason to believe your personal information has been misused. You can obtain information from these sources about steps you can take to avoid identity theft as well as information about fraud alerts and security freezes.

Chipotle is working to enhance its security measures, the company said. It has also set up a helpline for its customers. If you think you may have lost your payment information as part of the breach and have a question, you can call this toll free number: 1-888-738-0534.

Editorial note: Our articles provide educational information for you. LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Microsoft accidentally exposed 250 million customer records — What you should know
A Microsoft security breach exposed 250 million customer records on a database without password protection. Learn more.
Read More
Uber Data Breach Affects 57 Million Rider and Driver Accounts
Uber Technologies, Inc. disclosed that hackers stole the personal information of some 57 million customers and drivers. Learn more.
Read More
Target Data Breach Victims Could Get Up to $10,000
Target's massive data breach hit during the 2013 holiday shopping season. The retailer is proposing to offer victims up to $10,000 each in damages.
Read More
How to Check If You're Affected by the Equifax Data Breach
It’s easy to find out if you were affected by the Equifax data breach by using a look-up tool. Find out how from LifeLock.
Read More

Start your protection,
enroll in minutes.

Get discounts, info, protection tips, and more.

Sign up for promotional emails.