On Friday, representatives of Chipotle Mexican Grill told the press that hackers managed to steal the company’s customer payment data from its 2,250 restaurants using malware over a span of three weeks.
A number of the restaurant chain’s Canadian branches were also affected by the data breach, which the company first disclosed April 25.
In an email to Reuters, Chipotle spokesperson Chris Arnold disclosed that the company did not know how many payment cards or customers were affected by the breach, only that over 2,000 of its restaurants were struck for varying amounts of time between March 24 and April 18.
The data stolen included account numbers and internal verification codes.
Reuters reported that the malware responsible for facilitating the attack has since been removed.
Information stolen during the attack could be used to steal funds from debit card-linked bank accounts, create “clone” credit cards, or to purchase items on vulnerable online sites, Privacy Rights Clearinghouse director of policy and advocacy Paul Stephens said.
An investigation on the attack found that the malware searched for data from the magnetic stripe on payment cards.
Arnold said that the company could not alert its customers directly of the danger since it did not collect their names and mailing addresses at the time of purchase.
Since the malware was detected, Chipotle posted warnings on its website and Pizzeria Locale’s to notify customers of what had happened.
The company could face a fine based on the size of the breach and the number of records compromised, security analysts said.
"If your data was stolen through a data breach that means you were somewhere out of compliance [with payment industry data security standards],” said Aite Group research director Julie Conroy.
Related stories:
More than a million Bell customer email addresses stolen by cybercriminal
InterContinental Hotels’ hit by cyberattack