Chipotle is out of the frying pan and into the fire with the recent discovery of malware that was relaying customer payment data to hackers from 2,250 of the Mexican restaurant chain’s store locations.
This comes close on the heels of a spate of food safety lapses that left hundreds of customers sickened by salmonella, norovirus and E. coli exposure in 2015. Despite that, shares ended only marginally lower after the announcement was made on Friday (May 26), dropping to $480.15.
The malware lifted data, including account numbers and internal verification codes, from magnetic stripes on payment cards. That information could be used to drain debit card-linked bank accounts, make “clone” credit cards or make purchases on less secure eCommerce sites.
Chipotle doesn’t know how many customers or cards were affected, and the company is unable to alert customers directly about the breach, since it doesn’t collect names or mailing addresses at the point of sale. It has done its best to circulate the information on its website and social media channels.
Attorney Linn Freedman, a specialist in data breach response, doesn’t think it’s enough. She thinks the message is unlikely to reach all affected customers, and it puts the burden on the victims to discover possible fraudulent transactions that may occur as a result of the Chipotle breaches.
The data was stolen between March 24 and April 18, even affecting some Canadian restaurants, spokesman Chris Arnold told Reuters. The malware has since been removed, and Chipotle will likely face fines from the card companies for failing to protect its customers’ sensitive data sufficiently. Plus, the restaurant will be liable for any fraud that results.
This snafu puts Chipotle in the company of Target, which just agreed to pay $18.5 million to settle claims from its 2013 Christmas-season data breach, as well as several hospitality businesses: Trump Hotels, InterContinental Hotels Group, Wendy’s, Arby’s and Landry’s.