lawsuits

Chipotle Warned Investors for Years That It Was Vulnerable to Security Hacks

Time to taco ‘bout improving security. Photo: Kena Betancur/AFP/Getty Images

Lawsuits have started piling up in response to Chipotle’s recent data breach, and lawyers in one particular case have made an interesting discovery by digging through the burrito chain’s annual financial filings. In the suit they filed for their client, an Arizona man named Todd Gordon, the attorneys point to SEC filings where the company mentioned by name the risks posed by its point-of-sale system.

Gordon says his American Express number was stolen during the late-March/early April breach, and that a hacker used it to make purchases in Florida. When his attorneys looked at Chipotle’s most recent 10-K filing, they realized the company had actually warned investors this could happen: “We may be harmed by security risks we face in connection with our electronic processing and transmission of confidential customer and employee information,” the filing reads. “We may in the future become subject to additional claims for purportedly fraudulent transactions.” The filing adds that if this happened, it could “distract our management from running our business,” plus cause Chipotle to “incur significant unplanned losses and expenses” and its brand to “be negatively affected.”

This warning wasn’t meant speculatively, either — the whole reason it was included is because of a similar data breach in 2004, which Gordon’s lawyers found in that year’s SEC filing. It cost Chipotle $4.3 million at the time, and every SEC filing since has included a cautionary line about future risk.

Documents filed with the SEC, of course, are designed in part to give a full overview of the company in question, and Chipotle spokesperson Chris Arnold tells Denver 7 that anyone familiar with investing knows companies put a laundry list of business risks, “no matter how remote,” in SEC filings, so disclosing a vulnerability to hackers was just doing their due diligence to shareholders. Gordon’s attorneys argue that whatever their reason for including, it still indicates that the chain knew its data-security measures had some issues. They also ask why Chipotle’s payment system still isn’t equipped to read the encrypted chips that now come standard on new credit cards.

Chipotle Warned Investors That It Was Vulnerable to Hacks