Breach, Malware

Chipotle Hack, Data Breach 2017: 5 Things to Know

Chipotle Mexican Grill Inc. on May 26 shared more facts about a data breach that the restaurant chain first disclosed on April 25. The breach involved "malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017."

Here are five facts about the hack:

1. Potential information stolen: The malware searched for track data, which sometimes has cardholder name in addition to card number, expiration date, and internal verification code. The malware read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected, the company said.

2. Affected locations: A list of affected Chipotle restaurant locations and specific time frames is available here. Not all locations were involved, and the specific time frames vary by location. Still, it sounds like most Chipotle Mexican Grill's 2,250 restaurants were impacted.

3. Timespan of Hack: Between March 24 and April 18, 2017.

4. Disclosure of Hack: Chipotle first announced knowledge of the hack on April 25, but revealed details of the malware attack and affected locations on May 26.

5. Customer Protection: Chipotle is not offering free identity protection services to customers. The reason: The company doesn't necessarily have contact information for customers who were potentially impacted by the hack.

The bigger question: How will the breach potentially impact Chipotle's image and brand -- both of which were badly damaged by earlier food quality issues. We'll be watching the potential fallout closely.

Sources: Chipotle, Reuters, Marketplace

Joe Panettieri

Joe Panettieri is co-founder & editorial director of MSSP Alert and ChannelE2E, the two leading news & analysis sites for managed service providers in the cybersecurity market.