Chipotle Hacked: Credit Card Breach, Malware Hit 'Most' Locations, Restaurant Reports

Chipotle announced Friday that an investigation into a security incident that took place earlier this year found the point of sales system at many of its locations was infected with malware that stole customer credit card information.

The restaurant did not disclose exactly how many of its locations were affected by the malware, but told the Verge “most” locations nationwide may have been involved. Chipotle has set up an online tool for customers to see if they may have been affected.

Read: Shoney's Hacked: Malware Hits 37 Shoney's Restaurants, Credit Card Credentials Stolen

According to Chipotle’s investigation, the malware was found active on the point of sale devices at its restaurants between March 24 and April 18. The malware “searched for track data” read from the magnetic stripe of a card while being processed by the point of sale device.

The malware was capable of stealing cardholder names along with card numbers, expiration dates and verification codes. Chipotle reported that no other customer information is believed to have been taken.

Chipotle is advising customers to monitor their credit card statements for any unauthorized activity and to report any fraudulent transactions to the card issuer immediately. The company said it has alerted payment networks so they may heighten their monitoring procedures.

The company also noted it has removed the malware from its point of sales systems and is working with cybersecurity firms to help evaluate and enhance its security systems. It also stated it is working with law enforcement to investigate the attack.

Read: Target Settlement: Company Will Pay $18.5M For Credit Card Data Breach

Chipotle has also published a tool online to help customers determine if their information may have been compromised. The tool allows a person to check if a restaurant location they visited was infected by the malware.

The company notes that not all locations were affected, though restaurants in every state the business operates are listed. Chipotle also advises that the time frame of infection varies by location, so while a restaurant may have been hit, a user’s card may not have been used while the malware was active.

Pizzeria Locale, a chain that is owned and operated by Chipotle, was also affected by the hack. Locations of the affiliate company in Kansas, Missouri, Colorado and Ohio were hit by the malware.

The attack on Chipotle is the latest to hit the point of sales systems at major corporations. Earlier this year, 37 Shoney’s restaurant locations were hit by a similar attack that resulted in customer credit card information being compromised.

Earlier this week, Target agreed to a settlement with 47 states in relation to a hack that resulted in 40 million credit cards being stolen. The company agreed to pay $18.5 million and take steps to improve its security protocols.