Chipotle Mexican Grill Fast-food chain notified customers a PoS malware breach

Share this…

The Fast-food chain Chipotle notified users a security breach, hackers compromised its point of sale terminals to steal payment card data.

The Mexican Grill Fast-food chain Chipotle notified users a data breach, hackers infected its point of sale terminals to steal payment card data.

The malicious code infected systems in 47 states and Washington earlier this year from March 24 to April 18.

The list of affected Chipotle restaurants is available here.

“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017.” reads the data breach notification published by the company. “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.” 

Chipotle data breach

The company highlighted that not all the locations were breached by hackers, you can check a specific location at the following address:

Users who have paid at the compromised stores should stay vigilant on their bank accounts and check any transaction involving their payment card.

The company confirmed to have removed the malicious code from the infected systems.

“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.” reads the statements.

PoS systems attacks are very common, this week Target, the US retail giant that suffered one of the most severe PoS system attacks, has entered a settlement with the US Attorneys General and it has agreed to pay $18.5 million over the 2013 data breach.