After detecting "unauthorized activity" on its network, Chipotle Tuesday confirmed that its payment processing system was breached, sparking hope among some researchers that the incident will prompt wider adoption of EMV technology.
Chipotle reportedly said in 2015 that it would not be upgrading to EMV chips, claiming that it would slow down customer lines.
The company believes the breach occurred between March 24 and April 18 and Chipotle is currently working with a cybersecurity firm and law enforcement to investigate the issue. No further details were provided into the breach.
"We will refrain from providing additional commentary now or in the Q&A," Chipotle's Chief Financial Officer (CFO) John Hartung told Wall Street analysts during a Tuesday earnings conference call. "We anticipate notifying any affected customers as we get further clarity about the time frames and the restaurant locations that might have been affected."
Researchers say that failure to accept EMV chip cards makes retailers a bigger target as attackers become more sophisticated.
"While enabling EMV does not prevent data breaches, merchants are bigger targets for fraud if they are not accepting chip cards," U.S. Payments Forum Director Randy Vanderhoof told SC Media. "This is because it is more profitable for thieves to go after unencrypted mag stripe card data, which can be used to make counterfeit cards - chip data cannot."
The news comes after the quick-service food chain announced an increase in earnings and the strongest quarter financial results since sales hit a slump in fall 2015 following a food safety crisis.
It seems like Chipotle can't catch a break after having a rough time in the past year, Absolute Software Global Security Strategist Richard Henderson told SC Media.
“When you consider the fact that the breach may have happened for around a month, and that Chipotle has around 2,000 restaurants, the number of cards pilfered could be in the millions,” Henderson said. “An interesting side note here is that Chipotle encourages customers to pay with cards in order to speed up transactions and keep their long lines moving fast... it's no wonder they were targeted by cybercriminals.”
He said he hopes that incidents like this help change the public's mindset as to completely moving towards full EMV chip adoption but is afraid nothing will change.
“The recent 27 year sentence handed out to one of the biggest credit card hackers in the world was supposed to be a message to other credit card hackers, but I think the ease at which many of these systems are breached and how easily and quickly credit card data is traded and sold underground makes the risk vs. reward calculation far too lucrative for criminals to resist,” Henderson said. “Other retailers take note: these criminals will try to get into your POS systems... if they're not already there.”
Tim Erlin, vice president of IT security and risk strategist at Tripwire, agreed that retailers will remain attractive targets and said businesses need to isolate and lock down their point-of-sale (POS) devices as much as possible. He added that that carefully monitoring theses system's communications for anomalies can help identify successful attacks since POS terminals are typically in low-change environments.
“Implementing security configurations and closely monitoring for any change can both prevent and detect any potential attacks,” Erlin said. “These systems should talk to predictable destinations both internally on the network as well as externally on the Internet.”
UPDATE: This story was updated to include comments from Randy Vanderhoof.