Mexican fast food chain Chipotle is once again warning its customers across the US to be on the lookout for credit card fraud after a cyberattack hit its payment systems nationwide between 24 March and 19 April this year. It is believed customers in at least 48 states were impacted.
An investigation, initially detailed on 25 April, found malware designed to "access payment card data from point-of-sale (PoS) devices" at most Chipotle restaurants, the firm said in a security advisory. The probe, now concluded, involved both cybersecurity firms and law enforcement.
Experts concluded the malware could search for "track data" read from the magnetic stripe of a payment card as it was being routed through the PoS device.
In some cases, the stolen information contained the cardholder's name in additional to card number, expiration date and internal verification code.
Spokesman Chris Arnold told Reuters the company still does not know how many cards or customers were individually affected by the breach but that "most" of its 2,200-plus restaurants were hit at some time.
You can search for the impacted Chipotle branches here.
The security team wrote: "It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorised activity.
"You should immediately report any unauthorised charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorised charges reported in a timely manner. The phone number to call is usually on the back of your payment card.
"We removed the malware, and we continue to work with cybersecurity firms to evaluate ways to enhance our security measures. [We] are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring."
On 19 May, ABC Denver reported Chipotle was at the receiving end of a class-action lawsuit following its initial acknowledgment of the breach. It was filed by the Bellwether Community Credit Union on behalf of "credit unions, banks, and other financial institutions" which may be impacted.
Avivah Litan, a vice president at Gartner specialising in security, told Reuters: "In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach." The firm is yet to release any statement on the subject of financial penalty.