Restaurant chain Chipotle has detected “unauthorized activity” on a network that supports its payment processing for purchases made at its restaurants.
According to Fortune, CFO Jack Hartung told Wall Street analysts during an investor presentation that the company's payment processing system was hacked. He said: “We want to make our customers and investors aware we recently detected unauthorized activity on a network that supports payment processing for purchases made in our restaurants.
"We will refrain from providing additional commentary now or in the Q&A. We anticipate notifying any affected customers as we get further clarity about the time frames and the restaurant locations that might have been affected.”
He said that Chipotle had implemented additional security measures and were working with a cybersecurity firm, law enforcement and the payment processor to address the matter. It estimated that the incident occurred between March 24 and April 18.
Raj Samani, chief scientist at McAfee, said that whilst it is still unclear how many customers and restaurants were affected, it is imperative that businesses take control of their cybersecurity and introduce efficient security measures long before these hacks actually happen.
“Many customers across the US, Canada and UK will be left wondering today if they have been caught up in this hack and whether or not they have purchased a very expensive burrito,” he said.
“Until Chipotle release additional information, customers will be unsure whether they have been targeted and if their data or money is in the hands of criminals.”
Tim Erlin, Tripwire vice-president, added that while we may have become numb to breaches, criminals continue to target point of sale terminals.
“As long as compromised credit card data continues to be a valuable commodity on the black market, any company collecting or processing valid credit card information will continue to be a high value target,” he said.
“The best advice for companies running point of sale systems is to isolate and lock down the devices as much as possible. Point of sale terminals are typically low change environment; implementing security configurations and closely monitoring for any change can both prevent and detect any potential attacks. These systems should talk to predictable destinations both internally on the network as well as externally on the internet. Carefully monitoring communications for anomalies can help identify successful attacks.”
Javvad Malik, security advocate at AlienVault, said: “The attack against the payment systems highlights that even with PCI DSS controls in place to segment and protect payment networks, companies need to remain vigilant against attacks and have broad monitoring and threat detection capabilities in place that can alert to an attack in a timely manner so that the appropriate response may be taken.”