Before Considering Your Next Dining Experience, Remember the Chipotle Data Breach

  • By David Lukic
  • Published: Dec 01, 2020
  • Last Updated: Mar 21, 2023

Chipotle Mexican restaurants and their affiliates Pizza Locale suffered a data breach in 2017. The Chipotle data breach affected all their 2,250 locations. The data that hacker’s stole was credit card information and account logins. Hundreds of Chipotle customers alerted the restaurant to fraudulent charges that were processed through their credit card companies. The hack was perpetrated through malware installed on Chipotle point-of-sale devices from March 24 until April 18, 2017. The malware read the magnetic strips on the backs of credit cards to steal people’s names, credit card numbers, expiration dates, and security codes.

In response to the attack, Chipotle issued a notice of data breach, hired one of the area’s top cybersecurity firms and alerted the authorities along with credit card companies.

Chipotle Data Breach of 2017

The chipotle breach of 2017, occurred between March 24 and April 18. By April 17, customers were posting online about suspicious charges and food orders placed from their accounts, which they never initiated. Many also experienced credit card charges at other locations for goods and services. Part of the problem was due to credential stuffing where hackers used account logins for other sites and brute force attacks to log into Chipotle accounts. Some users, however, confirmed that they did not use the same password on other websites.

How to Check if You’re a Victim of Chipotle Credit Card Hack

After the attack, Chipotle posted a web page on their site to allow users to check to see if their data was breached. That page has since been removed, but if you need to, you could contact Chipotle Corporate directly to inquire. Additionally, you can review your credit card statements from the period of March-April of 2017 and see if you notice any charges that were not yours. As a precaution, you could cancel the credit card used and have the bank reissue one.

chipotle data breach

What to Do if Your Data Was Breached

If you were targeted by a Chipotle security breach, and suffered significant losses, gather together your credit card or bank statements to supply the evidence.

  • You will also want to get a copy of your credit reports ( offers this service along with continuous credit monitoring). 
  • Change your Chipotle, credit card, and bank logins. Use only really long passwords with a combination of letters, numbers, and symbols.
  • Review your bank and credit card statements for that period and beyond to look for any suspicious charges. 
  • You can also file a report with the Attorney General’s Office in your state.

Average Cost of Failed Cybersecurity

IBM estimated the average cost of a restaurant data breach to be around $3 million in 2021. That number is nearly double what it was in the previous year. Part of the reason for this increase is the growing sophistication of cyberattacks, but it's also true that restaurants store much more customer data than before.

Lawsuits and Settlements for Chipotle Data Breach

chipotle security breach

There was a substantial class-action lawsuit, and Chipotle settled. The settlement includes $250 for anyone who purchased food with Chipotle or Pizza Locale during the breach period. Additionally, they are also offering up to $10,000 for losses sustained as a result of the financial information being put at risk by Chipotle.

Other Major Data Breaches in the Food Industry

Now, don't think you're safe just because you don't like Chipotle. The Chipotle data breach is just one of many attacks on the food industry. It's estimated that over 30 percent of restaurant, hospitality, and service businesses have experienced a data breach.

DoorDash Data Breach (2019)

DoorDash is one of the services that kept people sane during the COVID-19 Pandemic. However, the food delivery giant experienced a data breach that compromised customer, vendor, and driver information.

The attack started on May 4 and lost the names, emails, addresses, and phone numbers of nearly 5 million people. The attack targeted members who'd created their account before April 6, 2018.

After investigation, DoorDash reported that the breach originated from a phishing campaign aimed at one of their third-party vendors.

An exact timeline of the company's response was never reported, but the platform did post a security notice on its site. On it, a spokesperson assured customers that complete credit card information and passwords weren't compromised.

However, DoorDash recommended that affected users reset their passwords. This was a lukewarm response to a serious breach and lacked appropriate direct contact with the victims.

Dunkin' Donuts Data Breach (2015)

For many Americans, drowsy mornings end at Dunkin'. While they make some of the best (and cheapest) coffee around, the coffee and doughnut chain failed to comply with New York's data breach notification laws for an extended period.

The law reads, "State entities and persons or businesses conducting business who own or license computerized data which includes private information must disclose any breach of the data to New York residents whose private information was exposed."

Dunkin' Donuts failed to respond and report multiple cyberattacks over five years. In that time, they lost the information for roughly 300,000 customer accounts. This wasn't among the largest breaches for multinational companies, but it was among the most negligent.

Warning signs of weak security started in 2015 when the company lost customer email addresses, account numbers, and PINs. The hackers used a brute-force attack called credential stuffing to access the information.

By pairing usernames stolen from other sources, credential stuffing guesses passwords based on a user's additional personal information. Facts like birthdays, addresses, favorite foods, and pet names are often used in people's passwords.

Dunkin' Donuts even received a report from its app developer of potential security risks. However, the parent company failed to act on those concerns and even neglected to contact affected customers about the danger to their information.

Ultimately, Dunkin' paid $650,000 in penalties to the state of New York. The company also had to reset customer passwords, properly notify victims, and refund money illegally taken from prepaid cards.

Sonic Drive-In Data Breach (2017)

Sonic Drive-In admitted to losing millions of accounts' credit and debit card information in 2017. The breach came to light when about 5 million card numbers appeared on the dark web. Each card reported fraudulent charges and had the common link of recently visiting a Sonic location.

The attack used malware to steal information from 325 Sonic locations across the US. Some of the blame falls on the company's franchise-reliant model. Sweeping cybersecurity updates are complex to enforce and require a high cost from franchise owners.

One of Sonic's most prominent black marks was its failure to implement basic, modern cybersecurity measures. This includes the switch to chip-enabled point-of-sale (POS) systems which automatically encrypt transaction information.

Sonic faced hundreds of lawsuits which were consolidated into a class-action. A settlement was reached through negotiations, with Sonic being the tenuous winner. The food chain agreed to pay a total of $5.73 million. The breakdown included $2.2 million in attorney fees, $500,000 in administration costs, and the rest set aside to pay out victims.

Kroger Accellion (Kiteworks) Data Breach (2021)

Accellion, now known as Kiteworks, reported that hackers compromised its file transfer product at the end of 2020. Hundreds of businesses used their product, including Kroger, the fourth largest grocery chain in the US. 

Kroger announced the leak on February 19, nearly a month after it was first uncovered. The filing stated that personal information from pharmacy customers and employees was lost.

As a result, Kroger paid $5 million to handle damages from losing patient data. Over negotiations, it was revealed that roughly 3.8 million customers and employees were affected by the breach. The arguments against the supermarket claimed that both Kroger and Accellion didn't have proper security measures in place. Plaintiffs cited a need for more training for staff and updating technology as Accellion was still using legacy software.

Additionally, Kroger promised to update its security practices in the deal which included moving away from Accellion as a file transfer solution.

Can My Information be Used for Identity Theft?

The account login information stolen and then used to brute force attack Chipotle’s server could also be used to acquire additional personal details about you. Any information obtained during a hack or data breach can be used to steal your identity or even find additional personal information.

Victimized businesses include coffee shops, delivery services, drive-ins, and even grocery stores. Unless you adopt a fully self-sufficient lifestyle, it’s nearly impossible to avoid interacting with businesses that could put your information at risk.

That’s why you must closely monitor any early signs of identity theft

What to Do to Protect Yourself

In this digital age, it may seem impossible to protect yourself against hackers, data breaches, viruses, and malware, but there are things you can do to stay safe.

The most immediate and impactful action is to update your passwords. Too many people use the same password for multiple accounts. While this makes them easier to remember, it also gives bad actors access to your entire life in one fell swoop.

Don’t be intimidated by the thought of changing every password you’ve ever used. Focus on any accounts with access to your personal or financial information, such as social media, bank accounts, and food services.

After that, you should be fine as long as you use your browser’s built-in password manager to generate random password combinations.

Other things you can do to stay safe and prevent identity theft are:

  • Always keep your antivirus software (on all devices) up-to-date and run scans often.
  • Monitor your bank and credit card statements regularly to look for any unusual charges, and add fraud alerts to your credit report.
  • Do not share any personal information with anyone you don’t know.
  • Do not click on links or download attachments in emails, even if they look legitimate.

Invest in credit monitoring and keep an eye on your online profiles.

About the Author
IDStrong Logo

Related Articles

What is Data Leak and How to Prevent Accidental Data Leakage

Data breaches take many forms, and one of them is through data leak and accidental web exposure. M ... Read More

The Saga of T-Mobile Data Breach: 2013, 2015, 2021 and 2023 Hacks

T-Mobile has experienced a number of data breaches in the past decade. The first case occurred som ... Read More

Anthem Data Breach Exposed 78 Million Records

In the Anthem Data Breach of 2015, hackers were able to steal 78.8 million member’s records. ... Read More

Everything You Need to Know About Insider Data Breach

Data breaches are on the news frequently, but the average person doesn’t really know that mu ... Read More

The NSA Hack, How Did it Happen?

The National Security Agency (NSA) was the main attraction in a major data breach involving three ... Read More

Latest Articles

What Are Vacation Club and Timeshare Scams and How to Avoid Them

What Are Vacation Club and Timeshare Scams and How to Avoid Them

In early 2023, the FBI made a public service announcement warning that scammers had been targeting owners of timeshares in Mexico; they reported an estimated $39.6 million in losses involving only Mexico timeshares.

What to Do if Your Credit Card is Lost or Stolen

What to Do if Your Credit Card is Lost or Stolen

Credit and debit cards have become the most prominent form of wealth access in the last decade. Once consumers pulled out thick wallets of cash—they now pull out thin clips of cards—if they bother using a card, not a watch or cellphone.

Credit Card CVV Number: Meaning and Security

Credit Card CVV Number: Meaning and Security

Inspect your credit card, and you'll likely find interesting—and crucial—elements of the plastic rectangle. The front might display the provider's name, a chip, some digits, or an entire card number; the back might hold much the same, along with a signature, when necessary, and a "valid thru [sic]" date.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address