The Chipotle fast-food chain has identified more than 60 of its outlets in Minnesota as being among hundreds nationwide where customers were exposed to potential fraud when paying with credit or debit cards early this spring.
The Denver-based Mexican restaurant company said Friday that many of its locations were victims of malware, which surreptitiously searched for customer data such as a cardholder’s name, card number, expiration date and internal verification code embedded in the magnetic stripe.
The findings come from completion of an investigation that Chipotle said involved leading cyber security firms, law enforcement and the payment card networks. The company made no mention of who might have been behind the malware effort or how it penetrated its “point of sale” devices.
During the investigation, Chipotle said in a statement that it “removed the malware” that was active from March 24 through April 18 “and continues to work with cyber security firms to evaluate ways to enhance its security measures.”
Chipotle urged customers who used their payment cards at the listed locations within the affected time frame to review billing statements for evidence of fraud and report anything suspicious to the card issuer. Other options include contacting the Federal Trade Commission or the attorney general’s office at the state level.
Among the five dozen or so locations in Minnesota where customers’ data were at risk of theft, 10 were in Minneapolis, three in St. Paul and dozens more in various suburbs. Outside the metro area, outlets were hit in Duluth, Mankato, Rochester and St. Cloud.
The Chipotle website offers a way to search for specific affected locations at the bottom of this page. The page, however, served up this caveat to the search tool: “Please note that not all locations were identified, and the specific time frames vary by location.”