Shortly after Chipotle reported a breach on April 25 that affected more than 2,000 restaurant locations and an undisclosed number of individuals across 47 states, an investigation concluded the point-of-sale (POS) malware attack lasted from March 24 to April 18 and searched for “track data” which sometimes includes card numbers, expiration dates, and internal verification codes, according to Chipotle's security alert.
The alert instructed users to enter their state to see if the breach affected a Chipotle that they may have used. Users are also encouraged to remain vigilant and to monitor their accounts for suspicious activity and are provided a number to call if they have any questions concerning the incident.
While EMV chips would not have prevented the breach, many professionals agreed the technology is more secure than the current technology in use by the food chain.
Customers may even be alarmed to know to learn of these insecure practices when most consumer facing brands have already transitioned, Dana Simberkoff, chief compliance and risk officer at AvePoint, told SC Media.
“For a company that has already been suffering from “brand damage” from other areas of its business, security concerns are clearly an unwanted situation for the organization and its customers,” Simberkoff said. “While I don't have an estimate on the potential costs to the brand, it's likely that Chipotle will be subject to probing questions from investigating state and federal agencies on why they have not moved more rapidly to update their systems in order to protect their customers' payment data.”
While Chipotle is offering credit monitoring services from their site, the onus is still on the customer to see if they were affected or not, AsTech Chief Security Strategist Nathan Wenzler told SC Media.
“Customers may add this as another reason to be leery of buying anything from their stores, and word-of-mouth about these concerns could create a longer term impact to revenue,” Wenzler said. “The direct costs of this breach may also be difficult to calculate, as Chipotle does not maintain customer contact information or any other databases that would allow them to identify exactly who and how many people have been affected.”
Some cyberpros wouldn't be surprised if Chipotle was fined for the incident as other companies affected by the incident will want retribution.
“Standard hits from Visa and MasterCard and whomever their clearing bank is will already be clawing back the fines and the malicious charges,” Acalvio Chief Security Architect Chris Roberts told SC Media. “All of the charges that can be equated to them will be over the period of the breach, so now it's lawyers and others arguing with the banks.”
The breach is a reminder that information doesn't have to be classified for it to be valuable to cyber crooks and that it's important to secure all endpoints.
“The blurring of personal and professional use of enterprise assets such as laptops underscores the critical nature of protecting organizations from the network core to the edge, and in remote offices, against advanced threats and evasive malware, Lastline Sr. Director Patrick Bedwell told SC Media. “Users can inadvertently introduce these threats into a network by using an infected device targeted as a result of a prior data breach. Data breaches provide a distribution hub for global malware attacks for years to come.”