Chipotle says 60-plus Minnesota locales were hit by payment card malware

Nationwide fraud attack via payment cards lasted for more than three weeks until software was removed.

May 31, 2017 at 10:44AM
The Chipotle restaurant in the US Bank building in downtown Minneapolis was one of its locations affected by malware.
The Chipotle restaurant in the US Bank building in downtown Minneapolis was one of its locations affected by malware. (Dave Denney — Star Tribune/The Minnesota Star Tribune)

The Chipotle fast-food chain has identified more than 60 of its outlets in Minnesota as being among hundreds nationwide where customers were exposed to potential fraud when paying with credit or debit cards early this spring.

The Denver-based Mexican restaurant company said Friday that many of its locations were victims of malware, which surreptitiously searched for customer data such as a cardholder's name, card number, expiration date and internal verification code embedded in the magnetic stripe.

The findings come from completion of an investigation that Chipotle said involved leading cyber security firms, law enforcement and the payment card networks. The company made no mention of who might have been behind the malware effort or how it penetrated its "point of sale" devices.

During the investigation, Chipotle said in a statement that it "removed the malware" that was active from March 24 through April 18 "and continues to work with cyber security firms to evaluate ways to enhance its security measures."

Chipotle urged customers who used their payment cards at the listed locations within the affected time frame to review billing statements for evidence of fraud and report anything suspicious to the card issuer. Other options include contacting the Federal Trade Commission or the attorney general's office at the state level.

Among the five dozen or so locations in Minnesota where customers' data were at risk of theft, 10 were in Minneapolis, three in St. Paul and dozens more in various suburbs. Outside the metro area, outlets were hit in Duluth, Mankato, Rochester and St. Cloud.

The Chipotle website offers a way to search for specific affected locations at the bottom of this page. The page, however, served up this caveat to the search tool: "Please note that not all locations were identified, and the specific time frames vary by location."

Paul Walsh • 612-673-4482

Chipotle said that malware infected payment devices at many of its restaurants nationwide.
Chipotle said that malware infected payment devices at many of its restaurants nationwide. (The Minnesota Star Tribune)
Chipotle restaurant in the US Bank building in downtown Minneapolis, MN, 05/30/17. ] David Denney/Star Tribune
Malware infected more than 60 Chipotle restaurants in Minnesota, exposing customers using payment devices to fraud. (The Minnesota Star Tribune)
about the writer

about the writer

Paul Walsh

Reporter

Paul Walsh is a general assignment reporter at the Minnesota Star Tribune. He wants your news tips, especially in and near Minnesota.

See More

More from Eat + Drink

A plate with slices of Hmong sausage, a stuffed chicken wing and crispy pork belly, a mound of white sticky rice and shreds of white and orange papaya salad in a lettuce leaf

Lefse-wrapped Swedish wontons, a soothing bowl of rice porridge and a gravy-laden commercial filled our week with comfort and warmth.