Chipotle Hit by Credit Card Breach

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The restaurant chain Chipotle Mexican Grill, which has more than 2,000 locations worldwide, this week announced that the network that supports payment processing for its restaurants was recently breached.

All card transactions in Chipotle restaurants between March 24, 2017 and April 18, 2017 may be affected.

"Because our investigation is continuing, complete findings are not available and it is too early to provide further details on the investigation," Chipotle said in a statement. "We anticipate providing notification to any affected customers as we get further clarity about the specific timeframes and restaurant locations that may have been affected."

RiskVision CEO Joe Fantuzzi told eSecurity Planet by email that point-of-sale breaches like these are increasing in frequency. "Attackers have increasingly taken advantage of security shortfalls that remain unknown and/or unaddressed in the retail sector, such as insecure third party PoS systems, hidden vulnerabilities in the network and other major gaps in their security defenses," he said.

"But with the rising tide of retail attacks, it's now imperative that retail businesses thoroughly assess their risk environment to determine the location of the critical holes in their network and which vulnerabilities present the biggest risk," Fantuzzi added. "Only when retailers are armed with this knowledge can they create an effective strategy that will enable them to combat these threats and mitigate these attacks."

End-to-End Encryption

All companies that accept credit card payments should be using end-to-end encryption to protect payment data, Gemalto vice president and CTO for data protection Jason Hart said by email. "They have to understand the payment vulnerabilities they face and protect their customers' data as early in the transaction process as possible by moving to a framework centered on the data itself," he said.

While it's not yet clear how the Chipotle breach occurred, Hart said, hackers often hit payment networks by stealing employees' or third-party vendors' login credentials. "That's why it's important for companies to not only implement the more secure EMV and encrypt payment data but to make sure there are additional layers of security, such as multi-factor authentication, for the individuals that can access the payment systems and networks," he said.

Richard Henderson, global security strategist at Absolute Software, said by email that he hopes incidents like these will help to encourage EMV chip adoption. "While EMV is not foolproof, it's far more safe than the 1960s era magstripe technology that we continue to see targeted by attackers," he said.

"The recent 27-year sentence handed out to one of the biggest credit card hackers in the world was supposed to be a message to other credit card hackers, but I think the ease at which many of these systems are breached and how easily and quickly credit card data is traded and sold underground makes the risk vs. reward calculation far too lucrative for criminals to resist," Henderson added.

A Lack of Trust

Two thirds (68 percent) of consumers don't trust brands to handle their personal data appropriately, a recent survey of 4,002 consumers in the U.S., U.K. and Ireland found.

The survey, conducted by Arlington Research and sponsored by Gigya, also found that 63 percent of consumers feel personally accountable for protecting their data, rather than relying on companies to do so. Thirty-one percent say brand privacy policies are weaker now than they were a year ago.

"There is looming disconnect for brands if they don't respond more aggressively to consumer demand for privacy and protection of their data," Gigya senior vice president of marketing Jason Rose said in a statement. "Brands that put consumers in control of their privacy and deploy platforms that strengthen consumer data security will ultimately gain consumer trust."