After a month-long investigation involving the assistance of law enforcement and cyber security firms, Chipotle has discovered what caused the troubling data breach in its payment system, earlier this year.
It appears, per the details released by Chipotle, that a certain malware was accessing payment data from cards used with point-of-sale devices at a number of Chipotle restaurants. The origin of this malware is not yet clear, with law enforcement still further investigating the incident.
In a statement, Chipotle elaborated on the malware:
The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.
Chipotle hasn’t disclosed an exact number for how many of its restaurants were affected, but the company has released a tool for customers that can help them check if a restaurant they visited was affected.
In addition to the breach at Chipotle restaurants; the company also operates a chain of restaurants called Pizzeria Locale, which were also affected by the same malware. Pizzeria Locale has published a list of affected restaurants.
However, Chipotle (and Pizzeria Locale) also note that not every one of their affected restaurants has been identified just yet, so it would be best to periodically check the corresponding websites for an update even if your favorite restaurant is not currently on the list.
As for the potentially affected customers, the company recommends filing a police report, contacting the Federal Trade Commission, or placing a fraud alert or security freeze on potentially affected accounts and credit files.