If you ate at Chipotle between March 24 and April 18, it’s time to check your credit-card statement for anything weird. The chain first acknowledged that hackers had stolen customers’ personal data in an earnings report on April 25, telling investors it was investigating “unauthorized activity on the network that supports payment processing.” In a blog post, the company says that investigation has now concluded, and when asked to characterize the scale of the attack, spokesperson Chris Arnold told CNN that “most, but not all restaurants may have been involved.”
The malware infected point-of-sale systems in stores, and Chipotle says the hackers could have accessed card names, numbers, expiration dates, and verification codes. It notes there’s “no indication” other personal data was stolen, although it’s not clear how much personal data is left for this other category. To help customers out, Chipotle has set up a database of affected stores that’s searchable by city and state. For example, the data was compromised at 52 of New York City’s roughly 70 stores. (The database also lists what dates stores were affected during the attack’s 25-day period.) Customers have already started reporting fraudulent activity, too, like a Kansas City man who told the local news yesterday that almost $1,000 worth of Airbnb charges mysteriously appeared on his account.
The company’s statement says, “During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures.” It also includes a reminder to “be vigilant for incidents of fraud or identity theft by reviewing your account statements.” Chipotle tells customers who realize they’ve become victims of fraud to contact the Federal Trade Commission, their home state’s attorney general, or the local police.