LOS ANGELES — Chipotle Mexican Grill on Friday said new information on a March-April data breach at its restaurants indicates hackers using malware stole customer payment information.
Consumers’ account numbers, expiration data and verification codes were accessed by the malware from payment card systems at the fast-casual chain over three weeks between March 24 and April 18. Chipotle said the malware that breached its system has been removed. Most of its 2,249 restaurants were affected, said company spokesperson Chris Arnold.
“Because of the nature of the incident and the data involved, we lack sufficient information to determine how many unique payment cards may have been involved,” he said.
The company has been working hard to rebound from food safety issues in 2015 that resulted in a sales drop. The company has since been climbing back, with its stock up to $480.15 on Friday. On January 4th, the first trading day of the year, Chipotle stock traded for $381 a share.
The company said consumers should check their credit card statements for unauthorized activity and report unauthorized charges to the card issuer. “Payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.”
Chipotle said it’s working with cyber security firms to evaluate ways to enhance security measures. In addition, “we…are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”