- The Washington Times - Friday, May 26, 2017

Chipotle Mexican Grill on Friday said a recent security incident may have compromised the personal information of customers who used credit cards at “most” of its locations during a recent three-week span.

Point-of-sale machines at various Chipotle restaurants became infected with malware between March 24 and April 18 of this year, the company announced Friday, potentially allowing hackers to have accessed sensitive customer information including credit card numbers, expiration dates, internal verification codes and the names of affected card holders.

“There is no indication that other customer information was affected,” Chipotle said in a statement. “Not all locations were involved, and the specific time frames vary by location.”

Chipotle did not immediately provide a number of precise locations, and instead offered a website where customers can sort compromised restaurants by state and then city. A cursory glance suggests hundreds of restaurants across the country were affected, including 52 in New York City, 31 in Chicago and 19 in Washington, D.C., among others.

Pressed for specifics, Chipotle said “most” locations nationwide may have been affected, The Verge reported Friday. The Denver-based company operated 2,291 locations across North America and Europe, including 57 that opened during 2016, according to its last earnings report published in April.

Chipotle advised concerned customers to monitor their credit statements for suspicious charges, but is not currently offering complimentary credit services as similarly situated companies have in the past, Reuters noted.

“Credit monitoring is only designed to let you know when someone is opening a new credit account using your information. Credit monitoring does not alert you when a fraudulent charge is made on a payment card,” Chipotle spokesman Chris Arnold told Reuters.

Chipotle first disclosed the security breach in late April but did not provide information on affected locations until this week. Cybersecurity experts and law enforcement officials are continuing to investigate the incident, and the malware has since been removed, Friday’s statement said.

Sign up for Daily Newsletters

Copyright © 2019 The Washington Times, LLC. Click here for reprint permission.

The Washington Times Comment Policy

The Washington Times welcomes your comments on Spot.im, our third-party provider. Please read our Comment Policy before commenting.


Click to Read More and View Comments

Click to Hide