Security

Chipotle: Hackers did to our registers what our burritos did to your colon

Fast food chain cops to POS malware breach


Fast-food chain Chipotle says hackers infected its point of sale terminals to gain access to card data from stores in 47 states and Washington, DC.

The self-described "Mexican Grill" says that the malware was active earlier this year from March 24 to April 18, when it was detected, triggering the company to issue an alert.

"The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," Chipotle said in its latest summary of the incident.

"There is no indication that other customer information was affected."

That last sentence is a bit puzzling, as a fraudster who has payment card numbers, dates, and security codes would have little need for any other info.

Chipotole says that while the compromised stores are located in every state save Alaska, Hawaii and South Dakota, not every location was breached. Chipotle's disclosure page includes a section to check individual stores.

Chipotle recommends that anyone who paid with a card at one of the compromised stores keep a close eye on bank statements and consider having an alert placed to their credit file to catch possible fraud.

The fast food chain is far from alone in falling victim to this type of scam. Hackers have targeted the POS terminals of dozens of retailers, restaurants, and hotel chains with malware payloads that collect and transmit the payment card data of customers, often resulting in the theft of thousands of card numbers. ®

Send us news
15 Comments

First-ever UEFI bootkit for Linux in the works, experts say

Bootkitty doesn’t bite… yet

RansomHub claims to net data hat-trick against Bologna FC

Crooks say they have stolen sensitive files on managers and players

Ransom gang claims attack on NHS Alder Hey Children's Hospital

Second alleged intrusion on English NHS org systems this week

Helpline for Yakuza victims fears it leaked their personal info

Organized crime types tend not to be kind to those who go against them, so this is nasty

Swiss cheesed off as postal service used to spread malware

QR codes arrive via an age-old delivery system

Keyboard robbers steal 171K customers' data from AnnieMac mortgage house

Names and social security numbers of folks looking for the biggest loan of their lives exposed

Cybercriminal devoid of boundaries gets 10-year prison sentence

Serial extortionist of medical facilities stooped to cavernous lows in search of small payouts

Kids' shoemaker Start-Rite trips over security again, spilling customer card info

Full details exposed, putting shoppers at serious risk of fraud

Amazon confirms employee data exposed in leak linked to MOVEit vulnerability

Over 5 million records from 25 organizations posted to black hat forum

Cybercrooks are targeting Bengal cat lovers in Australia for some reason

In case today’s news cycle wasn’t shocking enough, here’s a gem from Sophos

FBI issues warning as crooks ramp up emergency data request scams

Just because it's .gov doesn't mean that email is trustworthy

Don't open that 'copyright infringement' email attachment – it's an infostealer

Curiosity gives crims access to wallets and passwords