Chipotle Mexican restaurants and their affiliates Pizza Locale suffered a data breach in 2017. The Chipotle data breach affected all of their 2,250 locations. The data that hackers stole was credit card information and account logins. Hundreds of Chipotle customers alerted the restaurant to fraudulent charges that were processed through their credit card companies. The hack was perpetrated through malware installed on Chipotle point-of-sale devices from March 24 until April 18, 2017. The malware read the magnetic strips on the backs of credit cards to steal people’s names, credit card numbers, expiration dates, and security codes.
In response to the attack, Chipotle issued a notice of data breach, hired one of the area’s top cybersecurity firms and alerted the authorities along with credit card companies.
Chipotle Data Breach of 2017
The chipotle breach of 2017, occurred between March 24 and April 18. By April 17, customers were posting online about suspicious charges and food orders placed from their accounts, which they never initiated. Many also experienced credit card charges at other locations for goods and services. Part of the problem was due to credential stuffing where hackers used account logins for other sites and brute force attacks to log into Chipotle accounts. Some users, however, confirmed that they did not use the same password on other websites.
How to Check if Your a Victim of Chipotle Credit Card Hack
After the attack, Chipotle posted a web page on their site to allow users to check to see if their data was breached. That page has since been removed, but if you need to, you could contact Chipotle Corporate directly to inquire. Additionally, you can review your credit card statements from the period of March-April of 2017 and see if you notice any charges that were not yours. As a precaution, you could cancel the credit card used and have the bank reissue one.
What to Do if Your Data Was Breached
If you were targeted by a Chipotle security breach, and suffered significant losses, gather together your credit card or bank statements to supply the evidence.
- You will also want to get a copy of your credit reports (IDStrong.com offers this service along with continuous credit monitoring).
- Change your Chipotle, credit card, and bank logins. Use only really long passwords with a combination of letters, numbers, and symbols.
- Review your bank and credit card statements for that period and beyond to look for any suspicious charges.
- You can also file a report with the Attorney General’s Office in your state.
Lawsuits and Settlements for Chipotle Data Breach
There was a substantial class-action lawsuit, and Chipotle settled. The settlement includes $250 for anyone who purchased food with Chipotle or Pizza Locale during the breach period. Additionally, they are also offering up to $10,000 for losses sustained as a result of the financial information being put at risk by Chipotle.
Can My Information be Used for Identity Theft?
The account login information stolen and then used to brute force attack Chipotle’s server could also be used to acquire additional personal details about you. Any information obtained during a hack or data breach can be used to steal your identity or even find additional personal information.
What to Do to Protect Yourself
In this digital age, it may seem impossible to protect yourself against hackers, data breaches, viruses, and malware, but there are things you can do to stay safe.
- Always keep your antivirus software (on all devices) up-to-date and run scans often.
- Monitor your bank and credit card statements regularly to look for any unusual charges, and add fraud alerts to your credit report.
- Change your login passwords often and make them very complicated.
- Do not share any personal information with anyone you don’t know.
- Do not click on links or download attachments in emails, even if they look legitimate.
- Invest in credit monitoring and keep an eye on your online profiles.