Chipotle: Hackers Dined Out on Most Restaurants



Restaurant chain Chipotle Mexican Grill says customers' payment card data was stolen by hackers via malware installed at the vast majority of its more than 2,000 restaurant locations.


Chipotle first disclosed April 25 that it was investing a potential data breach involving card data.


On Friday, Chipotle said it's completed its investigation, with the help of unnamed incident response firms, law enforcement agencies as well as the payment card networks, and is warning that many customers' payment card data was compromised.


Chipotle says the point-of-sale malware attack ran from up to March 24 to April 18 - for more than three weeks. "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," according to Chipotle's security alert. "There is no indication that other customer information was affected."


Officials at the company didn't immediately respond to questions about the precise scale and scope of the breach, or the security defenses in place at its restaurants.


"Most, but not all locations may have been involved," spokesman Chris Arnold tells Nation's Restaurant News. But all locations may have been involved, since Chipotle's alert includes the caveat that "not all [affected] locations were identified."


As of March 31, the company operated 2,291 locations. The company says the breach affected restaurants in 47 states as well as the District of Columbia.


Chipotle has recently seen its fortunes improve after suffering a string of food-safety failures in 2015 and 2016. The company's revenue in the first quarter of 2017 - compared to the same time period in 2016 - increased by 28 percent, to $1.07 billion, while net income was $46.1 million, compared to a net loss of $26.4 million.


Chipotle has posted an online identification tool into which consumers can enter a state, and then a city or town, to see if the location was known to have been breached. Again, however, Chipotle warns that not every breached location may be listed.


The breach also affected another chain the company operates, called Pizzeria Locale. Malware installed on POS terminals in seven of those restaurants - in Colorado, Kansas, Missouri and Ohio - was intercepting customers' card numbers from March 27 to April 18, Chipotle says in a separate Pizzeria Locale security alert.


Chipotle didn't immediately respond to queries related to exactly how many Chipotle restaurants were affected, how many customers or card numbers may have been impacted, how it discovered the breach, or which cybersecurity firms it's been working with. The chain also didn't immediately respond to queries about whether internal networks that touch payment card data are segmented from other networks, as security experts have long recommended, and which was recently listed as one of the "industry standards" by which states' attorneys general expect all organizations to abide (see Target Reaches $18.5 Million Breach Settlement with States).


Breach Notification Day: Friday


The timing of publicly traded Chipotle's data breach notification appears to have followed a by now well-worn public relations strategy. Namely, businesses with bad news tend to release it on a Friday, after markets have closed, in an attempt to minimize news coverage and capitalize on the fact that fewer people may be following news outlets on Saturday. Releasing such information during a holiday weekend - Monday is Memorial Day in the U.S. - potentially also helps bury the bad news.


Many businesses as well as politicians have long pursued this strategy.


Chipotle has included a link to its "data security incident" investigation on its corporate home page.


In it, the company issues no apology to affected customers. Its breach notification also studiously avoids any suggestion that the company failed to have robust information security processes in place, or that it has any responsibility for the breach or to affected consumers, beyond issuing its alert.


"During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures," it says.


The data breach notification also offers general fraud-prevention advice to card-using consumers. "We remind you it is always advisable to be vigilant for incidents of fraud or identity theft by reviewing your account statements and free credit reports for any unauthorized activity," Chipotle says in its notice to data breach victims.


Chipotle has not offered prepaid identity theft monitoring services to consumers, as some organizations do following a breach. But this is not common for breaches involving payment card data. U.S. consumer protection laws limit a consumers' liability to $50 for a credit card, provided they report suspected fraud to their card issuer in a timely manner. Debit card users, however, only have 48 hours to report suspected fraud to have a $50 liability limit, after which they could be liable for up to $500, if the fraud is reported up to six months later.


Fines Likely


Chipotle could face fines from state attorneys general or be forced to compensate card issuers. "In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach," Avivah Litan, a vice president at Gartner who specializes in security and privacy, tells Reuters.


Earlier this month, for example, retailer Target agreed to pay a fine of $18.5 million to state attorneys general over the massive payment card breach it suffered in 2013. That agreement followed a separate, $39 million settlement with financial institutions affected by the breach, and $16.75 million spent to settle a consolidated class action lawsuit filed on behalf of affected consumers.


Customers Respond


Some customers have taken to social media to query the chain about the apparent delay between it discovering the breach and alerting consumers (see Data Breach Notifications: What's Optimal Timing?).


Others have asked Chipotle why it wasn't using chip-reading POS terminals. The company didn't immediately respond to a request for comment about whether it uses chip-reading POS terminals in all, some or none of its restaurants, or whether consumers swipe their cards instead (see State AGs Rally for Chip-and-PIN).


Other customers, perhaps optimistically, have urged Chipotle to pay back affected customers in the form of free food.


"What a great way to say you are sorry for not using a chip reader and putting us burrito lovers at risk," one customer tweeted.


Payment Card Breach Epidemic


Restaurants, retailers and hotels in the United States continue to suffer a payment card data breach epidemic (see InterContinental Hotels Group: Malware Hit 1,200 Locations). The problem is so bad that some security experts have suggested that any organization that uses POS terminals should assume that it's been breached, until it can repeatedly prove otherwise.


The epidemic is often compounded by poor security practices at many organizations, according to Verizon's recently released 2017 Data Breach Investigations Report.


"While hotels likely come to mind first, restaurants also fall into this industry and comprise the majority of the victim population," the report reads. "Often food service victims are smaller businesses without IT departments, [or] CISOs ... but they do accept payment cards and are therefore a target for opportunistic attack."


Card-scraping malware, meanwhile, has become commoditized and can be easily procured in underground forums. Security experts say hotel, retailer and restaurant payment card data breaches can too often be read as shorthand for firms that have failed to restrict access to remote access to restaurant networks that handle POS data; rolled out POS devices without changing their well-known, default passwords; or failed to use white-listing controls with POS terminals and related servers that would prevent unknown applications, including malware, from being allowed to execute on the devices.