Chipotle says ‘most’ of its restaurants were infected with credit card stealing malware

Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack earlier this year. Alongside the news, it also released a new tool to help customers check whether the restaurant they visited was involved. When pressed by The Verge, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved.

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”

every state Chipotle operates in had restaurants that were breached

We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.)

Chipotle noted that not all locations have been identified, but it’s a starting guide to check whether your visit lines up with the breached period. If so, the company suggests you file a police report, contact the Federal Trade Commission, or place a fraud alert or security freeze on your bank account. The latter may require out-of-pocket charges, which the customer is liable for. Chipotle isn’t legally required to offer credit protection for affected customers, making it just another one of the many things Chipotle can screw you over for.