Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware

Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack earlier this year. Alongside the news, it also released a new tool to help customers check whether the restaurant they visited was involved. When pressed by The Verge, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved.

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”

We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.)

Chipotle noted that not all locations have been identified, but it’s a starting guide to check whether your visit lines up with the breached period. If so, the company suggests you file a police report, contact the Federal Trade Commission, or place a fraud alert or security freeze on your bank account. The latter may require out-of-pocket charges, which the customer is liable for. Chipotle isn’t legally required to offer credit protection for affected customers, making it just another one of the many things Chipotle can screw you over for.


No problem. Haven’t been to one since the issues with e coli over a year ago.

You waited that long? I stopped going when I realized that they cost more than a sit down restaurant.

You can technically sit down in a Chipotle.

Sure, but they won’t wait on you.

And yet no android pay. Why can’t i give a virtual credit card # to all businesses…

I’ve been whining for a couple of years for Apple
pay. Maybe something like this is the kick they need.
Probably not.

So much for that winning back the customer thing. It’s locally owned restaurants from now on. It’s not like they were the best or cheapest anyway, just occasionally convenient.

They weren’t even "good" in my opinion.

I actually had my credit card info stolen 3 times while eating at Chipotle during this time. Couldn’t figure out why it kept happening, but eventually narrowed it down to Chipotle and like 2 other restaurants. Funny how I never heard anything about the hack until now.

dumb question but does this include purchases made with the app?

Highly unlikely. It was probably skimmers or access to their ancient POS system.

This is what happens when your POS system is based on Windows.

This is what happens when your POS system is never updated. You can easily root and malware infect older Linux distros.

Don’t finance a Burrito on a credit card…..

you dont like free money via rewards?

Sure, that is why I put a new car on one and paid it off that month.

Is getting your card hacked worth a nickle cash back though?

Why not? I had mine hacked a couple of times – I just dispute the bad transactions and my bank sends me a new card. Essentially around 20 minutes of inconvenience for about 1.5% discount on purchases on average.

It’s a money-go-round. The credit card company charges the merchant 3%, keeps half, gives the other half to you, but the merchant raises the price 3% to cover the cost of paying the credit card company. So you pay 1.5% more because (everyone) pays with their card instead of just cash.

Too bad when you pay cash most places charges you the same, so you lose even more.

Face. Palm.

I can’t wait for Apple Pay and Android Pay becoming mainstream, wouldn’t have these problems.

Billy Mays here!

It’s not called a POS system for nothing.

Let’s see, that means I’ve now had credit card leaks from the following breaches:
- Bebe
- Target
- Home Depot
- TMobile/some credit agency I don’t remember
- Chipotle

It’s kind of ridiculous. Yet we can’t even get true chip and PIN here in the US. What an embarrassment.

So em, I ate at Chiptole and paid with Credit card 3 times during this period, but since then there have yet to be any suspicious charge on my Chase Visa in the month or so afterward. What should I do with my card now?

There been no suspicious charges and my credit report is still the same old 750+, so I guess I will just remain vigilant for the time being

View All Comments
Back to top ↑