Restaurant chain Chipotle Mexican Grill has admitted that customers’ payment card data was stolen by hackers via malware installed at “the vast majority of its more than 2,000 restaurant locations”.
Chipotle first disclosed on April 25 that it was investing a potential data breach involving payment card data.
Last Friday, Chipotle announced that it had completed its investigation, with the help of unnamed incident response firms, law enforcement agencies as well as the payment card networks, and is warning that many customers’ payment card data were compromised.
Chipotle says the point-of-sale malware attack ran from March 24 to April 18 – for more than three weeks, almost 4 weeks infact. “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” according to Chipotle’s security alert. “There is no indication that other customer information was affected.”
The Chipotle Security Announcement text is here:
Chipotle Mexican Grill Reports Findings from Investigation of Payment Card Security Incident
California residents please click here.
Chipotle Mexican Grill, Inc. (Chipotle) is providing further information about the payment card security incident that Chipotle previously reported on April 25, 2017. The information comes at the completion of an investigation that involved leading cyber security firms, law enforcement, and the payment card networks.
The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017. The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected. A list of affected Chipotle restaurant locations and specific time frames is available here. Not all locations were involved, and the specific time frames vary by location.
It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take.
During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.
If customers have questions regarding this incident, you can call 888-738-0534 Monday through Friday between the hours of 9:00 a.m. and 9:00 p.m. EDT, or Saturday and Sunday between the hours of 9:00 a.m. and 5:00 p.m. EDT.
MORE INFORMATION ON WAYS TO PROTECT YOURSELF
We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
- Equifax
Phone: 1-800-685-1111
P.O. Box 740256
Atlanta, Georgia 30348
www.equifax.com- Experian
Phone: 888-397-3742
P.O. Box 9554
Allen, Texas 75013
www.experian.com- TransUnion
Phone: 888-909-8872
P.O. Box 105281
Atlanta, GA 30348-5281
www.transunion.comIf you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
- Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue
NW Washington, DC 20580- 1-877-IDTHEFT (438-4338)
- www.ftc.gov/idtheft
Fraud Alerts: To protect yourself from possible identity theft, consider placing a fraud alert on your credit file. A fraud alert can make it more difficult for someone to get credit in your name because it tells creditors to follow certain procedures to protect you. It also may delay your ability to obtain credit. You may place a fraud alert in your file by calling one of the three nationwide consumer reporting agencies:
- Equifax, PO Box 740256, Atlanta, GA 30374, www.equifax.com, 1-800-685-1111
- Experian, PO Box 9554, Allen, TX 75013, www.experian.com, 1-888-397-3742
- TransUnion, PO Box 2000, Chester, PA 19016, www.transunion.com, 1-800-680-7289
As soon as that agency processes your fraud alert, it will notify the other two, which then also must place fraud alerts in your file. You may choose between two types of fraud alert. An initial alert (Initial Security Alert) stays in your file for at least 90 days. An extended alert (Extended Fraud Victim Alert) stays in your file for seven years. To place either of these alerts, a consumer reporting agency will require you to provide appropriate proof of your identity, which may include your Social Security number. If you ask for an extended alert, you will have to provide an identity theft report. An identity theft report includes a copy of a report you have filed with a federal, state, or local law enforcement agency, and additional information a consumer reporting agency may require you to submit. For more detailed information about the identity theft report, visit www.ftc.gov/idtheft/.
Security Freeze: You may wish to place a “security freeze” (also known as a “credit freeze”) on your credit file. A security freeze is designed to prevent potential creditors from accessing your credit file at the consumer reporting agencies without your consent. There may be fees for placing, lifting, and/or removing a security freeze, which generally range from $5-$20 per action. Unlike a fraud alert, you must place a security freeze on your credit file at each consumer reporting agency individually. In order to request a security freeze, the consumer reporting agencies may require proper identification prior to honoring your request and ask that you provide:
- Your full name (including middle initial as well as Jr., Sr., II, III, etc.)
- Social Security number
- Date of birth
- If you have moved in the past five (5) years, provide the addresses where you have lived over the prior five years
- Proof of current address such as a current utility bill or telephone bill
- A legible photocopy of a government issued identification card (state driver’s license or ID card, military identification, etc.)
- If you are a victim of identity theft, include a copy of the police report, investigative report, or complaint to a law enforcement agency concerning identity theft
As the instructions for establishing a security freeze differ from state to state, please contact the three consumer reporting agencies to find out more information.
If you are a resident of Maryland, you may contact the Maryland Attorney General’s Office at 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.
If you are a resident of North Carolina, you may contact the North Carolina Attorney General’s Office at 9001 Mail Service Center, Raleigh, NC 27699, www.ncdoj.gov, 1-919-716- 6400.
If you are a resident of Massachusetts, note that you have the right to obtain a police report and request a security freeze as described above. The consumer reporting agencies may charge you a fee of up to $5 to place a security freeze on your account, and may require that you provide certain personal information (such as your name, Social Security number, date of birth, and address) and proper identification (such as a copy of a government-issued ID card and a bill or statement) prior to honoring your request. There is no charge, however, to place, lift or remove a security freeze if you have been a victim of identity theft and you provide the consumer reporting agencies with a valid police report.
If you are a resident of Rhode Island, you may obtain information about preventing and avoiding identity theft from the Rhode Island Office of the Attorney General at 150 South Main Street Providence, RI 02903, www.riag.ri.gov, (401)-274-4400. You have the right to obtain a police report and request a security freeze as described above. The consumer reporting agencies may charge you a fee of up to $10 to place a security freeze on your account, and may require that you provide certain personal information (such as your name, Social Security number, date of birth, and address) and proper identification (such as a copy of a government-issued ID card and a bill or statement) prior to honoring your request. There is no charge, however, to place, lift or remove a security freeze if you have been a victim of identity theft and you provide the consumer reporting agencies with a valid police report.
If you are a resident of West Virginia, you have the right to the right to ask that nationwide consumer reporting agencies place “fraud alerts” in your file to let potential creditors and others know that you may be a victim of identity theft, as described above. You also have a right to place a security freeze on your credit report, as described above.
Residents of California
NOTICE OF DATA BREACH
What Happened
Chipotle Mexican Grill, Inc. is providing further information about the payment card security incident that Chipotle previously reported on April 25, 2017. The information comes at the completion of an investigation that involved leading cyber security firms, law enforcement and the payment card networks.
What Information Was Involved
The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017. The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected. A list of affected Chipotle restaurant locations and specific time frames is available here. Not all locations were involved, and the specific time frames vary by location.
What You Can Do
It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take.
What We Are Doing
During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.
For More Information
If customers have questions regarding this incident, you can call 888-738-0534 Monday through Friday between the hours of 9:00 a.m. and 9:00 p.m. EDT, or Saturday and Sunday between the hours of 9:00 a.m. and 5:00 p.m. EDT.
MORE INFORMATION ON WAYS TO PROTECT YOURSELF
We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity. You may obtain a copy of your credit report, free of charge, once every 12 months from each of the three nationwide credit reporting companies. To order your annual free credit report, please visit www.annualcreditreport.com or call toll free at 1-877-322-8228. Contact information for the three nationwide credit reporting companies is as follows:
- Equifax
Phone: 1-800-685-1111
P.O. Box 740256
Atlanta, Georgia 30348
www.equifax.com- Experian
Phone: 888-397-3742
P.O. Box 9554
Allen, Texas 75013
www.experian.com- TransUnion
Phone: 888-909-8872
P.O. Box 105281
Atlanta, GA 30348-5281
www.transunion.comIf you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your state. You can obtain information from these sources about steps an individual can take to avoid identity theft as well as information about fraud alerts and security freezes. You should also contact your local law enforcement authorities and file a police report. Obtain a copy of the police report in case you are asked to provide copies to creditors to correct your records. Contact information for the Federal Trade Commission is as follows:
- Federal Trade Commission
Consumer Response Center
600 Pennsylvania Avenue
NW Washington, DC 20580- 1-877-IDTHEFT (438-4338)
- www.ftc.gov/idtheft
Restaurants and timeframes that relate to this notification
You can use the locator tool below to check for a restaurant identified during the investigation and its specific time frame. Please note that not all locations were identified, and the specific time frames vary by location.
At the bottom of the release is a restaurant locator – both Loveland, Colorado Locations are affected as is the 807 17th Street Greeley location, and the two Fort Collins locations as well.