clock menu more-arrow no yes

Filed under:

Massive Chipotle Data Breach Affected Roughly 2,250 Restaurants

More woes for the troubled burrito chain

Chipotle Becomes First Non-GMO US Restaurant Chain Joe Raedle/Getty Images

Update, 5/30: Hackers used malware to gain access to Chipotle customers’ credit card information between March 24 and April 18 in a massive security breach that affected roughly 2,250 restaurants, according to MarketWatch. Chipotle as well as its affiliate Pizzeria Locale have released lists with information about the restaurant locations that were impacted by the breach.

The theft used credit cards’ magnetic stripes to target card numbers, expiration dates, and verifications codes and could lead to fraudulent charges. A Chipotle spokesperson Chris Arnold said in a statement to NBC News that the company did not know how many people were impacted by the hack. The burrito chain says it has successfully removed the malware from its system and is working to improve its security measures. It’s recommended that customers review their credit statements for unauthorized activity and report those charges to the card issuer.


As Chipotle continues to try to climb out of a massive sales slump triggered by a string of high-profile food safety disasters, it’s suddenly got a new pain point: a potential credit card breach.

The burrito chain relayed the bad news to customers on Tuesday via a post on its website, explaining that it recently discovered unauthorized activity on its payment processing network. Translation: If you used a credit or debit card to pay for a burrito between late March and mid-April, it’s possible hackers may have stolen your card info. Chipotle is still investigating the breach, but in the meantime, best check your bank statements.

Though the news comes at a tough time for the company — Chipotle’s profits plummeted by 95 percent in 2016, a hole it’s currently attempting to get out of with new menu items and new and improved tortillas — it’s certainly not the only big chain to face similar woes recently: Arby’s is currently facing an onslaught of lawsuits in the wake of a massive security breach that’s thought to have compromised the payment data of more than 350,000 customers.

Below, Chipotle’s full statement on the potential data breach:

We recently detected unauthorized activity on the network that supports payment processing for purchases made in our restaurants. We immediately began an investigation with the help of leading cyber security firms, law enforcement, and our payment processor. We believe actions we have taken have stopped the unauthorized activity, and we have implemented additional security enhancements. Our investigation is focused on card transactions in our restaurants that occurred from March 24, 2017 through April 18, 2017. Because our investigation is continuing, complete findings are not available and it is too early to provide further details on the investigation. We anticipate providing notification to any affected customers as we get further clarity about the specific timeframes and restaurant locations that may have been affected.

Consistent with good practices, consumers should closely monitor their payment card statements. If anyone sees an unauthorized charge, they should immediately notify the bank that issued the card. Payment card network rules generally state that cardholders are not responsible for such charges.

This story was originally published on April 26 at 11 a.m.

Notice of Data Security Incident [Chipotle]
Will Chipotle’s New Tortillas Save Its Soul? [E]
Chipotle’s Data Breach: Hot to Tell If You May Have Been a Victim [MarketWatch]
Chipotle Says Hackers Hit Most Restaurants in Data Breach [NBC]
Chipotle Findings From Investigation of Security Incident [Chipotle]

Sign up for the Sign up for the Eater newsletter

The freshest news from the food world every day