According to the company, the investigation clarified the operation of the malware involved, which was designed to access payment card data from cards used on point-of-sale (PoS) devices at Chipotle locations between March 24 and April 18, 2017.
The malware specifically searched for track data, which can include cardholder names as well as card numbers, expiration dates and verification codes.
"There is no indication that other customer information was affected," the company said.
"During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures," Chipotle said in a statement. "In addition, we continue to support law enforcement's investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring."
The fact that most locations were affected suggests the attackers likely had free access to the company's point-of-sale network, Lastline senior director of product marketing Patrick Bedwell told eSecurity Planet by email.
"Advanced malware has demonstrated its ability to evade detection by most 'next-generation' and 'advanced' technologies like sandboxes, intrusion prevention systems, and firewalls," Bedwell said. "By evading detection, the malware can move freely across a network until it finds the systems or data it is targeting, such as PoS data."
Nathan Wenzler, chief security strategist at AsTech, noted that this certainly won't help matters for a brand that has taken several hits recently due to a series of high-profile food poisoning issues. "Customers may add this as another reason to be leery of buying anything from their stores, and word of mouth about these concerns could create a longer term impact to revenue," Wenzler said.
And Acalvio chief security architect Chris Roberts said Chipotle will likely face significant fines for the breach.
"Frankly, it's a mess," Roberts said. "Oh, and the consumer is the one who appears (in this breach) to have to notify that they have suspicious activity. That's not good. The fines will be negotiated, but it's another kick in the pants for a brand that was just getting over the whole mess with their previously reported food issues."
$8 Trillion in Breach Costs
Juniper Research's recently-released Future of Cybercrime & Security report predicts that criminal data breaches will cost businesses a total of $8 trillion over the next five years, due to higher levels of Internet connectivity and inadequate enterprise security.
The report also anticipates that the number of personal data records stolen by cybercriminals will reach 2.8 billion in 2017, and 5 billion in 2020.
Small and medium sized enterprises are particularly at risks from cyber attacks, the report suggests, as they're generally spending less than $4,000 a year on cyber security .
"Businesses of all sizes need to find the time and budget to upgrade and secure their systems, or lose the ability to perform their jobs safely, or at all," research author James Moar said in a statement.