DENVER -- More details of Chipotle’s recent malware attack have surfaced, leading to renewed coverage of the progress of Europay Mastercard Visa (EMV) conversions as a matter of security for restaurants and retailers.
Chipotle originally reported the security breach during an earnings call on April 25, 2017. The chain also issued a statement at the time saying it increased security and opened an investigation with cybersecurity firms, law enforcement and its payment processor.
The investigation found malware designed to access consumer data from the magnetic stripes of payment cards in most Chipotle restaurant point-of-sale (POS) systems. Chipotle reported that the malware was active from March 24 through April 18, 2017. The consumer data lifted from cards is known as track data, which can include the cardholder name, card number, expiration date and internal verification code—everything needed to steal someone’s identity.
Chipotle said it removed the malware during its investigation and is working with cybersecurity firms to consider ways to improve security. The chain encouraged customers who visited the affected locations while they were infected by the malware to be on the lookout for signs of fraud or identity theft by reviewing account statements and free credit reports to monitor any illicit activity.
Pymnts.com wrote that no customers have reported being affected by the breach as of Monday, June 5, but that Chipotle does not know how many cards were affected. The payment news source also said that the information collected from the attack could allow the attackers to create clones of the cards that were swiped to use elsewhere.
Some news outlets, including USA Today, have pointed out that the attack would have been less likely to happen if Chipotle had already installed EMV chip-reading hardware. “Consumers can try to protect themselves by looking for retailers that have enabled chip-based credit and debit card use on their POS terminals. These are much more secure than magnetic-stripe cards,” the newspaper reported.
The USA Today article also covers the inordinate amount of time and money required to make restaurants and retailers EMV-capable, but the message to consumers is clear: Your financial information is not safe with chains that have not installed chip readers.
Chipotle weathered a worse storm during its norovirus episodes. If the chain can survive that, then it will have no problem recovering from the kind of data breach that plenty of other restaurants and retailers have also conquered. But as similar hacking episodes among restaurants and retailers become increasingly common, it is unclear how consumer opinions of chains that are not EMV-compatible will be affected.
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.