Chipotle removes malware after breach strikes payment systems

Register now

(Bloomberg) -- Chipotle Mexican Grill Inc., which warned investors and customers last month that it had suffered a data breach, gave the all-clear on Friday, saying it had removed malicious software from its systems.

The company identified the so-called malware during a probe that included law enforcement, payment-card networks and cybersecurity firms, the burrito chain said. Hackers installed the software in order to grab customer data from point-of-sale devices, striking between March 24 and April 18.

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”

The data breach was the latest setback for a company that has struggled to revive growth. An E. coli scare in late 2015 sent its sales and stock price plunging. To win back customers, the Denver-based chain has rolled out a new ad campaign and free-food offers. The company also shook up its board after being targeted by activist investor Bill Ackman.

Same-store sales began to recover last quarter after declining for five straight periods, raising hope that a turnaround is underway.

On Friday, Chipotle warned customers to check their credit-card statements for unauthorized charges and “remain vigilant to the possibility of fraud.”

For reprint and licensing requests for this article, click here.