U.S. Markets closed
  • S&P 500

    3,845.47
    +14.08 (+0.37%)
     
  • Dow 30

    31,039.65
    +71.83 (+0.23%)
     
  • Nasdaq

    11,362.20
    +39.96 (+0.35%)
     
  • Russell 2000

    1,727.48
    -13.85 (-0.80%)
     
  • Crude Oil

    98.25
    -1.25 (-1.26%)
     
  • Gold

    1,737.70
    -26.20 (-1.49%)
     
  • Silver

    19.10
    +0.05 (+0.28%)
     
  • EUR/USD

    1.0182
    -0.0088 (-0.8553%)
     
  • 10-Yr Bond

    2.9130
    +0.1040 (+3.70%)
     
  • Vix

    26.82
    -0.72 (-2.61%)
     
  • GBP/USD

    1.1924
    -0.0028 (-0.2325%)
     
  • USD/JPY

    135.9160
    +0.0740 (+0.0545%)
     
  • BTC-USD

    20,391.82
    -78.59 (-0.38%)
     
  • CMC Crypto 200

    440.06
    +4.54 (+1.04%)
     
  • FTSE 100

    7,107.77
    +82.30 (+1.17%)
     
  • Nikkei 225

    26,107.65
    -315.82 (-1.20%)
     

Chipotle says hackers hit most restaurants in data breach

Signage for a Chipotle Mexican Grill is seen in Los Angeles, California, United States, April 25, 2016. REUTERS/Lucy Nicholson/File Photo

By Lisa Baertlein

(Reuters) - Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc's (CMG.N) restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain that has just started recovering from a string of food safety lapses in 2015.

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email.

Stolen data included account numbers and internal verification codes.

The malware has since been removed.

The information could be used to drain bank accounts, make "clone" credit cards, or to buy things on certain less-secure online sites, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.

An investigation into the breach found the malware searched for track data from the magnetic stripe of payment cards.

Chipotle is not offering credit monitoring or notifying affected customers directly, as many other chains have in the past. A handful of Canadian restaurants were also hit.

"Credit monitoring is only designed to let you know when someone is opening a new credit account using your information. Credit monitoring does not alert you when a fraudulent charge is made on a payment card," Arnold said.

He also said that Chipotle could not alert customers directly as it did not collect their names and mailing addresses at the time of purchase.

The company said it had posted a notification on the Chipotle and Pizzeria Locale websites and issued a press release to make customers aware of the incident.

Linn Freedman, an attorney at Robinson & Cole LLP specializing in data breaches, said Chipotle was putting the burden on the consumer to discover possible fraudulent transactions by notifying them through the websites.

"I don't think you will get to all of the customers who might have been affected," she said.

Shares in Chipotle Mexican Grill ended marginally lower at $480.15 on Friday following the announcement.

(Additional reporting by Natalie Grover and Siddharth Cavale in Bengaluru and Tom Polansek in Chicago; Editing Sai Sachin Ravikumar and Grant McCool)