Before Considering Your Next Dining Experience, Remember the Chipotle Data Breach
Table of Contents
- Chipotle Data Breach of 2017
- How to Check if You’re a Victim of Chipotle Credit Card Hack
- What to Do if Your Data Was Breached
- Average Cost of Failed Cybersecurity
- Lawsuits and Settlements for Chipotle Data Breach
- Other Major Data Breaches in the Food Industry
- DoorDash Data Breach (2019)
- Dunkin' Donuts Data Breach (2015)
- Sonic Drive-In Data Breach (2017)
- Kroger Accellion (Kiteworks) Data Breach (2021)
- Can My Information be Used for Identity Theft?
- What to Do to Protect Yourself
- By David Lukic
- Dec 01, 2020
Chipotle Mexican restaurants and their affiliates Pizza Locale suffered a data breach in 2017. The Chipotle data breach affected all their 2,250 locations. The data that hacker’s stole was credit card information and account logins. Hundreds of Chipotle customers alerted the restaurant to fraudulent charges that were processed through their credit card companies. The hack was perpetrated through malware installed on Chipotle point-of-sale devices from March 24 until April 18, 2017. The malware read the magnetic strips on the backs of credit cards to steal people’s names, credit card numbers, expiration dates, and security codes.
In response to the attack, Chipotle issued a notice of data breach, hired one of the area’s top cybersecurity firms and alerted the authorities along with credit card companies.
Chipotle Data Breach of 2017
The chipotle breach of 2017, occurred between March 24 and April 18. By April 17, customers were posting online about suspicious charges and food orders placed from their accounts, which they never initiated. Many also experienced credit card charges at other locations for goods and services. Part of the problem was due to credential stuffing where hackers used account logins for other sites and brute force attacks to log into Chipotle accounts. Some users, however, confirmed that they did not use the same password on other websites.
How to Check if You’re a Victim of Chipotle Credit Card Hack
After the attack, Chipotle posted a web page on their site to allow users to check to see if their data was breached. That page has since been removed, but if you need to, you could contact Chipotle Corporate directly to inquire. Additionally, you can review your credit card statements from the period of March-April of 2017 and see if you notice any charges that were not yours. As a precaution, you could cancel the credit card used and have the bank reissue one.
What to Do if Your Data Was Breached
If you were targeted by a Chipotle security breach, and suffered significant losses, gather together your credit card or bank statements to supply the evidence.
- You will also want to get a copy of your credit reports (IDStrong.com offers this service along with continuous credit monitoring).
- Change your Chipotle, credit card, and bank logins. Use only really long passwords with a combination of letters, numbers, and symbols.
- Review your bank and credit card statements for that period and beyond to look for any suspicious charges.
- You can also file a report with the Attorney General’s Office in your state.
Average Cost of Failed Cybersecurity
IBM estimated the average cost of a restaurant data breach to be around $3 million in 2021. That number is nearly double what it was in the previous year. Part of the reason for this increase is the growing sophistication of cyberattacks, but it's also true that restaurants store much more customer data than before.
Lawsuits and Settlements for Chipotle Data Breach
There was a substantial class-action lawsuit, and Chipotle settled. The settlement includes $250 for anyone who purchased food with Chipotle or Pizza Locale during the breach period. Additionally, they are also offering up to $10,000 for losses sustained as a result of the financial information being put at risk by Chipotle.
Other Major Data Breaches in the Food Industry
Now, don't think you're safe just because you don't like Chipotle. The Chipotle data breach is just one of many attacks on the food industry. It's estimated that over 30 percent of restaurant, hospitality, and service businesses have experienced a data breach.
DoorDash Data Breach (2019)
DoorDash is one of the services that kept people sane during the COVID-19 Pandemic. However, the food delivery giant experienced a data breach that compromised customer, vendor, and driver information.
The attack started on May 4 and lost the names, emails, addresses, and phone numbers of nearly 5 million people. The attack targeted members who'd created their account before April 6, 2018.
After investigation, DoorDash reported that the breach originated from a phishing campaign aimed at one of their third-party vendors.
An exact timeline of the company's response was never reported, but the platform did post a security notice on its site. On it, a spokesperson assured customers that complete credit card information and passwords weren't compromised.
However, DoorDash recommended that affected users reset their passwords. This was a lukewarm response to a serious breach and lacked appropriate direct contact with the victims.
Dunkin' Donuts Data Breach (2015)
For many Americans, drowsy mornings end at Dunkin'. While they make some of the best (and cheapest) coffee around, the coffee and doughnut chain failed to comply with New York's data breach notification laws for an extended period.
The law reads, "State entities and persons or businesses conducting business who own or license computerized data which includes private information must disclose any breach of the data to New York residents whose private information was exposed."
Dunkin' Donuts failed to respond and report multiple cyberattacks over five years. In that time, they lost the information for roughly 300,000 customer accounts. This wasn't among the largest breaches for multinational companies, but it was among the most negligent.
Warning signs of weak security started in 2015 when the company lost customer email addresses, account numbers, and PINs. The hackers used a brute-force attack called credential stuffing to access the information.
By pairing usernames stolen from other sources, credential stuffing guesses passwords based on a user's additional personal information. Facts like birthdays, addresses, favorite foods, and pet names are often used in people's passwords.
Dunkin' Donuts even received a report from its app developer of potential security risks. However, the parent company failed to act on those concerns and even neglected to contact affected customers about the danger to their information.
Ultimately, Dunkin' paid $650,000 in penalties to the state of New York. The company also had to reset customer passwords, properly notify victims, and refund money illegally taken from prepaid cards.
Sonic Drive-In Data Breach (2017)
Sonic Drive-In admitted to losing millions of accounts' credit and debit card information in 2017. The breach came to light when about 5 million card numbers appeared on the dark web. Each card reported fraudulent charges and had the common link of recently visiting a Sonic location.
The attack used malware to steal information from 325 Sonic locations across the US. Some of the blame falls on the company's franchise-reliant model. Sweeping cybersecurity updates are complex to enforce and require a high cost from franchise owners.
One of Sonic's most prominent black marks was its failure to implement basic, modern cybersecurity measures. This includes the switch to chip-enabled point-of-sale (POS) systems which automatically encrypt transaction information.
Sonic faced hundreds of lawsuits which were consolidated into a class-action. A settlement was reached through negotiations, with Sonic being the tenuous winner. The food chain agreed to pay a total of $5.73 million. The breakdown included $2.2 million in attorney fees, $500,000 in administration costs, and the rest set aside to pay out victims.
Kroger Accellion (Kiteworks) Data Breach (2021)
Accellion, now known as Kiteworks, reported that hackers compromised its file transfer product at the end of 2020. Hundreds of businesses used their product, including Kroger, the fourth largest grocery chain in the US.
Kroger announced the leak on February 19, nearly a month after it was first uncovered. The filing stated that personal information from pharmacy customers and employees was lost.
As a result, Kroger paid $5 million to handle damages from losing patient data. Over negotiations, it was revealed that roughly 3.8 million customers and employees were affected by the breach. The arguments against the supermarket claimed that both Kroger and Accellion didn't have proper security measures in place. Plaintiffs cited a need for more training for staff and updating technology as Accellion was still using legacy software.
Additionally, Kroger promised to update its security practices in the deal which included moving away from Accellion as a file transfer solution.
Can My Information be Used for Identity Theft?
The account login information stolen and then used to brute force attack Chipotle’s server could also be used to acquire additional personal details about you. Any information obtained during a hack or data breach can be used to steal your identity or even find additional personal information.
Victimized businesses include coffee shops, delivery services, drive-ins, and even grocery stores. Unless you adopt a fully self-sufficient lifestyle, it’s nearly impossible to avoid interacting with businesses that could put your information at risk.
That’s why you must closely monitor any early signs of identity theft.
What to Do to Protect Yourself
In this digital age, it may seem impossible to protect yourself against hackers, data breaches, viruses, and malware, but there are things you can do to stay safe.
The most immediate and impactful action is to update your passwords. Too many people use the same password for multiple accounts. While this makes them easier to remember, it also gives bad actors access to your entire life in one fell swoop.
Don’t be intimidated by the thought of changing every password you’ve ever used. Focus on any accounts with access to your personal or financial information, such as social media, bank accounts, and food services.
After that, you should be fine as long as you use your browser’s built-in password manager to generate random password combinations.
Other things you can do to stay safe and prevent identity theft are:
- Always keep your antivirus software (on all devices) up-to-date and run scans often.
- Monitor your bank and credit card statements regularly to look for any unusual charges, and add fraud alerts to your credit report.
- Do not share any personal information with anyone you don’t know.
- Do not click on links or download attachments in emails, even if they look legitimate.
Invest in credit monitoring and keep an eye on your online profiles.