DENVER–Another credit union has filed suit against Chipotle Mexican Grill, Inc., at the same time the restaurant chain has released new details from an internal investigation over a data breach at more than 2,000 of its restaurants.
The breach also involved Pizzeria Locale locations.
“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale devices at certain Chipotle and Pizzeria Locale restaurants between March 24, 2017, and April 18, 2017,” the company said in a press release.
Chipotle said the malware looked for track data, which sometimes has cardholder names, card numbers, expiration dates and internal verification codes, read from the magnetic strip of the payment card as it was routed through its system. “There is no other indication that other customer information was affected,” the company said in the statement.
Chipotle said that not all locations were involved, but that any customers who used a payment card at all during the so-called at-risk time frame “should remain vigilant to the possibility of fraud by reviewing their payment statements for any unauthorized activity,” it said, in the statement.
The company said the breach affected Chipotle restaurants in 47 states as well as the District of Columbia. The breach affected Pizzeria Locale restaurants in Colorado, Kansas, Missouri and Ohio from March 27 to April 18
The latest to sue the company over costs related to the breach is Alcoa Community FCU in Benton, Ark. The suit was filed in Colorado District Court.
Also filing a lawsuit in the same court earlier was New Hampshire-based Bellwether Community CU, which is the lead plaintiff for a proposed class of financial institutions.
According to the suit, the financial institutions are alleging that Chipotle’s weak data standards led to the exposure of customers’ names and debit/credit card numbers, resulting in costs to the financial institutions in closed accounts, stopped payments, the reissuance of cards, and more.