Chipotle spills the beans about month-long cyberattack on credit card systems

Chipotle, the global fast-food chain specialising in Mexican dishes, is urging its US customers to check for suspicious activity on their bank statements after "unauthorised" activity on its payment processing systems has led to fears the company has been hacked.

The scale of the incident remains under investigation, however, officials revealed the probe is focused on all card transactions in restaurants that occurred from 24 March to 18 April this year. The firm has not said how many customers may have been compromised.

In a statement issued this week (25 April), Chipotle's security team said: "We want to make our customers aware that we recently detected unauthorised activity on the network that supports payment processing for purchases made in our restaurants.

"We immediately began an investigation with the help of leading cybersecurity firms, law enforcement, and our payment processor. We believe actions we have taken have stopped the unauthorised activity, and we have implemented additional security enhancements."

The statement said: "Consistent with good practices, consumers should closely monitor their payment card statements. If anyone sees an unauthorised charge, they should immediately notify the bank that issued the card."

According to Fortune, Chipotle's chief financial officer (CFO), Jack Hartung, told investors this week: "We anticipate notifying any affected customers as we get further clarity about time frames and the restaurant locations that might have been affected."

Raj Samani, a chief scientist at McAfee, a cybersecurity firm, said: "The news that Chipotle's payment system has been hacked is a further reminder that all types of businesses where transactions are made, are a potential target for increasingly clever cybercriminals.

"Many customers will be left wondering if they have been caught up in this [suspected] hack and whether or not they have purchased a very expensive burrito. Until Chipotle release additional information, customers will be unsure whether they have been targeted."

Tim Erlin, vice president at security firm Tripwire, added: "While we may have become numb to these breaches, criminals continue to target point of sale terminals.

"As long as credit card data continues to be valuable on the black market, any company collecting or processing valid credit card information will continue to be a high value target."