Chipotle Mexican Grill Inc. said on Friday hackers used malware to steal customers’ card data, including account number, expiration date and internal verification codes, from payment systems at some of its restaurants over a span of three weeks.
Chipotle, which is fighting to recover from 2015 food safety lapses that pummeled its sales, said it did not know how many payment cards had been affected but said the malware has since been removed.
The information could be used to drain bank accounts, if a debit card was used, or to make credit card purchases, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.
An investigation into the breach found the malware searched for track data from the magnetic stripe of payment cards.
Most of Chipotle’s U.S. restaurants may have been affected by the breach for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.
Chipotle, which operates 2,249 U.S. restaurants, is not offering credit monitoring or notifying affected customers directly, as many other chains have in the past.
“Credit monitoring is only designed to let you know when someone is opening a new credit account using your information. Credit monitoring does not alert you when a fraudulent charge is made on a payment card,” Arnold said.
He also noted that Chipotle could not alert customers directly as it did not collect their names and mailing addresses at the time of purchase.
The company said it had posted a notification on the Chipotle and Pizzeria Locale websites and issued a press release to make guests aware of the incident.
Linn Freedman, an attorney at Robinson & Cole LLP specializing in data breaches, said Chipotle was putting the burden on the consumer to discover possible fraudulent transactions by notifying them through the websites.
“I don’t think you will get to all of the customers who might have been affected,” she said.
Shares in Chipotle Mexican Grill ended marginally lower at $480.15 on Friday.