A short-lived data breach this spring affected Chipotle Mexican Grill Inc. restaurants nationwide, the company said on Friday.
The breach also affected Pizzeria Locale, the company said. Cards used at the locations between March 24 and April 18 were impacted. Chipotle initially reported the breach in April.
“Most, but not all locations may have been involved,” company spokesman Chris Arnold said in an email. And he said the locations were affected for “varying amounts of time.”
The company has set up a website with details on the breach and information for consumers. That site also includes a list of affected restaurants, which are located in all 48 contiguous U.S. states. Chipotle has also published information for Pizzeria Locale customers.
Chipotle said its investigation identified malware that was designed to access payment card data from cards used on point-of-sale devices at Chipotle and Pizzeria Locale restaurants.
The malware searched for “track data,” which sometimes has the cardholder’s name, in addition to its number, expiration date and internal verification code. That information is then sold on the black market.
Chipotle said it removed the malware and “continues to work with cyber security firms to evaluate ways to enhance its security measures.” The company also said it “continues to support law enforcement’s investigation and is working with payment card networks.”
The breach is the latest in a string of similar incidents at restaurant chains in recent years. It also comes at a sensitive time for Chipotle, which has started generating positive sales after steep declines in 2016, following a series of foodborne illness outbreaks.
Contact Jonathan Maze at [email protected]
Follow him on Twitter: @jonathanmaze