Popular restaurant chain Chipotle Mexican Grill has announced that it was hit with a massive cybersecurity attack.
The attack, which was first reported by Chipotle on April 25, hit most the the chain's 2,250 locations and allowed hackers to steal credit card information from customers, reports The Inquisitr.
In a press release, the company provides information about the breach that is the result of an investigation involving leading cyber security firms, law enforcement, and the payment card networks:
The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017. The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.
During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.
In response to the incident, Bellwether Community Credit Union of New Hampshire has filed a class-action lawsuit against Chipotle and is seeking damages, reports Credit Union Times.
The suit alleges that the breach forced financial institutions to cancel or reissue cards, close accounts, stop payments, block transactions, issue refunds, increase fraud monitoring efforts, and deal with cardholder complaints and confusion. It also claims lost interest and transaction fees due to reduced card usage.
The suit challenges Chipotle's "public statements to customers after the data breach plainly indicate that defendant believes that card-issuing institutions should be responsible for fraudulent charges on cardholder accounts resulting from the data breach."
A previous Chipotle data breach is also referenced. "Despite its 2004 data breach, Chipotle quite obviously failed to upgrade its data security systems in a meaningful way so as to prevent future breaches," the complaint alleged.
The cybersecurity attack comes just when Chipotle was recovering from the 2015 food contamination outbreak that sickened hundreds of its customers. On that occasion, Chipotle's customers in Minnesota were infected with salmonella and nearly 100 more came down with norovirus after eating at the restaurant's Southern California locations.