Chipotle customers now have to worry about another bug from Chipotle’s franchise. This time, however, it is not related to food safety but its Point of Sale system. On April 25, 2017, Chipotle announced that its company’s payment processing system was compromised. After further investigation, Chipotle released new insight towards the extent of the breach and its efforts to mitigate its damage.
“We want to make our customers and investors aware we recently detected unauthorized activity on a network that supports payment processing for purchases made in our restaurants,”
At the time Chipotle did not provide any information regarding the extent of the hack until they could investigate the magnitude of the breach. Now, the company released information which states that vast number of their restaurants suffered from the break. The breach apparently took place between the March 24 through April 18. The information extracted from the breach were customers credit card credentials.
The information gathered from the investigation revealed the malware accessed track data read from magnetic tape as it goes through the POS system. This data contains information like the cardholder name, card number, expiration date, and verification code. Chipotle has released an online tool that allows customers see if their credit card information is at risk by checking if the card was used in one of the affected restaurants during the suspected time frame. The company recommends affected customer to do their due diligence and contact credit reporting companies and take appropriate steps to protect their financial information.
The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017. The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected. A list of affected Chipotle restaurant locations and specific time frames is available here. Not all locations were involved, and the specific time frames vary by location.
According to CyberScoop, the attack was carried out by a group of hackers known as FIN7. The group has targeted and breached around 20 companies in the hospitality sector. Apparently, the method used by the group to get in the system was a phishing email containing a malicious attachment. The email included pretexting regarding an overdue payment to a fictitious company named Manager Slazzer LLC.
Chipotle has had a number of hurdles over these past two years. First an outbreak of an e.coli virus, then another more localized outbreak of norovirus. Since the occurrence of these events, Chipotle has gone on campaigns to restore confidence in its brand. This recent breach will certainly put a dent on those efforts. Regardless, the company is outreaching to its customers and providing them with tools and information to protect their financial information. However, Chipotle is not liable or legally required to give the affected customers with credit protection. I hope they implement some air tight security policies regarding both food safety and cyber security since I am a fan of their cuisine.