Fast food chain Chipotle has revealed more details about a data breach first flagged last month, revealing it affected customers in 47 states and Washington DC.
The Mexican restaurant chain claimed that hackers managed to get POS malware onto its systems, where they stole customers’ card track data during the period March 24 to April 18 this year.
That data, taken from the magnetic strip of non-EMV cards, may have included cardholder names alongside card number, expiration date and internal verification code.
Hackers will have tried to sell that data on the black market as soon as it was stolen, because such information typically has a short shelf life before cards are cancelled.
It’s typically used to produce counterfeit cards and/or commit online fraud.
A list of the affected Chipotle restaurant locations affected included most of the states in the US, as well as the nation’s capital.
The firm claimed to have removed the malware and said it’s working with the police and card networks.
It added:
“It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner. The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take.”
Although Chipotle claimed that its latest update on Friday came at the end of an investigation by cybersecurity firms, law enforcers and the card companies, it still refused to go into any more detail on exactly how it was initially breached.
The success of such cyber-raids will continue as long as customers and organizations continue to use/accept legacy magstripe cards.