NewsRegion C Palm Beach CountyWest Palm Beach


What to do if you ate at Chipotle during the massive data breach

Posted at 9:08 PM, May 31, 2017
and last updated 2017-05-31 21:08:40-04

Fast-food chain Chipotle is still dealing with the after-effects of a data breach.

The company is revealing the full list of locations across the country involved in the massive cyber security attack, in which hackers used malware to access data from millions of cards used at Chipotle registers nationwide.

If you scanned your credit or debit card at a Chipotle between March 24 and April 18, you could be affected.

Click here to look at a list of local locations, which stretches from Boca Raton to Vero Beach.

Despite the hack, we still saw long lines outside Chipotle restaurants on Wednesday. Customer Sara Lirosi and some of her friends consider themselves loyal fans.

"It's pretty good. It's not a filet mignon but it'll do!" she joked.

Chipotle had previously made headlines in late 2015 after several people got sick from eating food infected with E. coli. Now, Lirosi's regular visits to the fast-food chain these past couple of months may have cost her.

"It's unfortunate that things happen to businesses like credit card fraud and E. coli but you have to look past that and you got to live," she said. "You can fix your credit cards but you can't fix your love for Chipotle."

The malware infected cash registers and captured information stored on the magnetic strip on credit cards, which is called "track data." Chipotle said in a blog post on its website that track data sometimes includes the cardholder's name, card number, expiration date and internal verification code.

"For this particular system, [the hackers] had to have been very clever and been around the block. They knew what they were doing," said WPTV tech consultant Alan Crowetz. "The bigger companies are generally more difficult to get into, but once you get into there it's a treasure trove because you're going to get so much valuable information there."

Crowetz, president/CEO of Infostream, Inc. in West Palm Beach, said the hackers most likely sold the data on the Dark Web.

"There's a whole market for this kind of thing. It's not just using the cards. This breach was so large, odds are they sold the credit card numbers to other bad guys," he said.

He offered these tips on what to do in a credit card security breach.

For starters, check your credit card and bank statements. You don't have to cut up your credit cards just yet.

"So even if you've eaten at Chipotle, relax. Take a look at your statements. Just keep an eye on things," he said. "There's no need to shred your card or go to extreme lengths."

If you see suspicious activity on your credit statements, call your credit card company immediately to dispute charges.

"Sometimes you have to do it in writing, but start the process with a phone call. Google the charges, does it ring any bells? See what kind of information you can find out by calling the credit card company and make sure you alert them," said Crowetz.

It might also be a good idea to set up credit monitoring. You can get a copy of a credit breach action checklist by clicking here.

"Many times with these breaches, people don't discover it for months and months later," said Crowetz. "They may make several little charges and keep taking advantage of it."

Crowetz cautions against using debit cards when you feel like your data might or could be compromised.

"It's easier to dispute money when they're trying to take it from you than when money is actually taken out of your account," he said.

He also advises to do your best to physically keep track of your credit card while going out. There have been instances where restaurant or retail employees will skim or make copies of a card when they take it back to a register for a transaction.

"Some restaurants now are letting you swipe at the table or not give the card up. Or use an app," he said.

Cash, if not carried in large amounts in your wallet, may also be another option from using plastic.

Crowetz showed us a handy website called If allows you to type in your email address to see if you've been involved in data breaches. Your email address is usually tied to user accounts, subscriptions or rewards programs with various companies.

WPTV's Alanna Quillen found out she was involved in three different security hacks with Adobe, LinkedIn and Tumblr. All three breaches involved hackers gathering personal information and passwords.

"A lot of people use the same or similar passwords across different accounts. So in your case, who cares if your Adobe account got breached into or maybe your linked in. But if you used that same password on your bank? Now you've got a problem," said Crowetz.

Because credit fraud laws have changed over the years, Crowetz believes Chipotle will be taking a financial hit from the breach.

"No longer is the credit card company paying for these mistakes, the vendor is. So, now Chipotle will have to make up the cost and damages associated with these cards being stolen, which for many companies can be a very large impact," he said. "They're a food provider, not a security company so this is a whole set of problems they'll have to learn and figure out how to fix."

While there's no word on any free meals or coupons to make-up for the breach, diehard Chipotle fans said they're not going anywhere.

"Chipotle has gone through things that you thought would shut them down prior but they're still striving regardless," said customer Sam LeGrand. "It just goes to show you that it doesn't really matter how powerful you are as a business. There's always a risk to security for the company."

Chipotle said it is working with law enforcement officials and cyber security firms on an investigation.

Local restaurants told WPTV they haven't been told to make announcements to customers but the company has dedicated a whole section of their website to the situation.

You can find affected locations and information on getting your free credit report and putting a security freeze on your credit file by clicking here.