The company reports that the hackers were able to affect customers in 47 states and Washington DC. They did so by orchestrating a well-coordinated attack which saw the insertion of malware onto the company’s POS (Point of Sale) system, which enabled them to make off with vast amounts of data.
In terms of what was taken, the company reports that the stolen information includes everything from the magnetic strip of non-EMV cards, which includes:
• Credit card number
• Card expiration date
• Internal verification code
• And customer name and address information
In other words, it’s about as damaging an attack as can be envisioned.
Chipotle has announced that they have removed all traces of the malware and are working with law enforcement agencies and credit card agencies.
If you’ve eaten at the restaurant anytime in the last twelve months, and didn’t pay with cash, it’s a safe bet that your credit card information was stolen, and you should report the matter to the company that issued your card to get a replacement at once. While credit card data has fallen out of favor in recent months in preference for protected health information, it’s clear that there’s still a strong demand for the information. If you don’t take action, you put yourself at risk of identity theft.
Unfortunately, hackers seem to be able to modify their attacks faster than digital security consultants can bolster their defenses, so this will definitely not be the last time we get word of such an incident. There’s no such thing as a bullet proof security system, and no matter how robust yours is, a determined hacker can and will eventually breach it.
The best thing you can do, then, is be vigilant, and take immediate corrective action when something happens that impacts you.