Chipotle Mexican Grill Reports Findings from Investigation of Payment Card Security Incident

Update – July 25, 2017

The time frames that were listed when this notification was first posted varied by restaurant but in each case began no earlier than March 24, 2017 and ended no later than April 18, 2017. Updated findings from the investigation confirmed the time frames listed for the restaurants on this website. The investigation did find that two additional restaurants may have been involved: 501 Bloor Street W, Toronto, ON M5S 1Y2; 5089 Dixie Road, Building B, Unit B1, Mississauga, ON L4W 5K1. The additional locations have been updated on this website accordingly.

Chipotle Mexican Grill, Inc. (Chipotle) is providing further information about the payment card security incident that Chipotle previously reported on April 25, 2017. The information comes at the completion of an investigation that involved leading cyber security firms, law enforcement, and the payment card networks.

The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017. The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected. A list of affected Chipotle restaurant locations and specific time frames is available here. Not all locations were involved, and the specific time frames vary by location.

It is always advisable to remain vigilant to the possibility of fraud by reviewing your payment card statements for any unauthorized activity. You should immediately report any unauthorized charges to your card issuer because payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.  The phone number to call is usually on the back of your payment card.  

During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.

We regret that this incident occurred and apologize for any inconvenience. If customers have questions regarding this incident, you can call 888-738-0534 Monday through Friday between the hours of 9:00 a.m. and 9:00 p.m. EDT.

Restaurants and timeframes that relate to this notification

You can use the locator tool below to check for a restaurant identified during the investigation and its specific time frame. Please note that not all locations were involved, and the specific time frames vary by location.

An “*” indicates a location added to the website.

Address ZIP Dates
No restaurants were affected in your area.