Chipotle uncovers POS malware in breach investigation

Investigation of a payment card security incident first reported on April 25, 2017, revealed POS malware was used at certain Chipotle Mexican Grill Inc. and affiliated Pizzeria Locale restaurants from March 24, 2017 to April 18, 2017. The malware apparently searched for track data (cardholder name, card number, expiration date and internal verification code) from magnetic stripe cards being routed through POS devices.

It is unclear how many customers may have been impacted by the breach, but of the chain's estimated 2,250 restaurant locations, a large number were found to have been affected. Analysts noted that Chipotle declined to implement EMV (Europay, Mastercard and Visa) chip-enabled transaction capabilities in 2015, citing delays in the authentication process caused by issues specific to EMV implementation in fast-food service environments.

Taking preventive measures

Chipotle stated that during the investigation the malware was removed, and the company will continue to work with cyber security firms, payment card networks, banks and law enforcement agencies to enhance security measures and heighten monitoring.

Chipotle customers who used payment cards at affected locations during the incident time frame are being advised to monitor payment card statements for unauthorized activity and to immediately report any such charges; cardholders will not be held liable if charges are properly reported, according to the company. A list of affected restaurant locations and vulnerable time frames are available online at www.chipotle.com/security and www.pizzerialocale.com/security .

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.