Hackers stole customer payment data from 22 Chipotle Mexican Grill locations on Long Island as part of a breach that affected most of the chain’s roughly 2,250 restaurants, the company said.
Chipotle could not say how many customers were affected by the malware attack, company spokesman Chris Arnold said via email Tuesday. The chain announced details of the security breach, which took place between March 24 and April 18, on Friday.
The restaurants were “using terminals that read the magnetic strips of cards,” not the new chip card reader technology, Arnold said.
An investigation found the malware searched for data from the magnetic strips; many newer cards are equipped with microprocessor chips that make it harder for consumers’ information to be stolen while they’re making a payment.
Arnold noted the chip technology “does not stop malware,” adding that Chipotle continues to look for “ways to enhance our security measures.”
James Taliento, CEO of Huntington-based cybersecurity company Cursive Security, said chip readers would not have prevented the malware attack, but that they are “more secure” and could have “probably” protected the payment card data, depending on the sophistication of the malware.
“Chipotle should absolutely use [chip] technology,” he said.
Stolen data included account numbers and internal verification codes.
The information could be used to drain debit card-linked bank accounts, make “clone” credit cards, or buy items on certain less-secure online sites, said Paul Stephens of the nonprofit Privacy Rights Clearinghouse.
Long Island locations affected include Carle Place, Deer Park, Farmingdale, Garden City, Great Neck, Hauppauge (both locations), Hicksville, Huntington Station, Lake Grove, Lawrence, Levittown, Merrick, Mineola, New Hyde Park, Oceanside, Riverhead, Selden, Syosset, Uniondale, Valley Stream and Wantagh. For dates each location was affected, go to chipotle.com/security.