Hackers were able to gain access to Chipotle’s payment systems, and were able to “steal customer payment data” during a three-week span.
The dates of the data breach are from March 24th to April 18th, of this year. They say that most of their 2,250 restaurants were hit, including some of their Canadian locations.
The security issue has been repaired, the malware removed from their system and security patches applied, but the data that was stolen is long gone. Customer’s account numbers and verification codes are included on the data that was targeted. The info can be used to empty some banking accounts, someone could make fake “clone” credit cards, and in some cases can even be used to make online purchases.
The company doesn’t have any way of directly notifying customers individually, since that information wan’t collected at the time of purchase, but they released a statement on their website. You should double-check your bank and credit card statements, and decide what you want to do from there.
An attorney specializing in data breach says that Chipotle has now put “the burden on the consumer to discover possible fraudulent transactions” by putting the statement on the website, and an security analyst says that Chipotle may now face fines based on the number of customers affected.