For three weeks, hackers used malware to take client payment information from almost all of Chipotle Mexican Grill Inc’s (CMG.N) restaurants, the company stated on Friday.
Chipotle doesn’t know yet how many payments or clients have been affected. Spokesperson Chris Arnold said the breach attacked at least 2,250 of Chipotle’s restaurants. The hack happened between March 24 and April 18.
Some Canadian restaurants were affected by the breach. The hack was first revealed on April 25.
Hackers stole data including account numbers as well as internal verification codes. However, since the discovery of the hack, the malware has been removed.
The breach’ consequences
Paul Stephens, Head of Policy and Advocacy at Privacy Rights Clearinghouse, said the data may drain bank accounts linked to debit cards or make “clone” credit cards. The information may also be used to purchase items on unsafe online sites.
The hack can affect the restaurants’ sales. This incident come as Chipotle has just recovered from the 2015’ incident when the chain was linked to outbreaks of E. coli, salmonella and norovirus that made hundreds of people sick.
Arnold stated that Chipotle didn’t immediately notify its customers because of it didn’t collect the clients’ names and their emails at the time of buying.
Why did the hack happen?
On the Chipotle and Pizzeria Locale websites, the company notified people and published a news release to warn its customers and tell them about the incident.
“I don’t think you will get to all of the customers who might have been affected,” Linn Freedman, a lawyer at Robinson & Cole LLP focusing on data breach response, said.
“If your data was stolen through a data breach that means you were somewhere out of compliance,” Julie Conroy, Research Director at Aite Group said.
“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” Avivah Litan, Gartner Inc (IT.N) Vice President who is specializing in security and privacy, noted.
However, Chipotle didn’t comment about paying any fines.