A cybersecurity hack that hit the majority of Chipotle locations allowed the hackers behind it to steal information from credit cards used by customers, confirmed the burrito maker.
The company made a first acknowledgement of the breach April 25, but late last week through a blog post revealed the type of malware that had been used in the attack and what restaurants had been affected.
The list of locations attacked is very extensive and included many of the larger U.S. cities. One spokesperson for the burrito chain said that most, but not every restaurant was involved.
Chipotle said in its Friday blog post that it had been working with officials from law enforcement as well as cybersecurity companies on the investigation.
The breaches took place between from March 24 to April 18 and the malware worked through infecting the cash registers and was able to capture the information that had been stored on credit card magnetic strips known as track data.
Chipotle said that track data includes at times the name of the cardholder, the card number, the expiration date and the internal verification code.
Chipotle said no indications exists that other types of personal information were taken.
During its investigation the restaurant chain said it removed all the malware, and would continue working with firms in cybersecurity to evaluate more ways to enhance company security measures.
A list of all restaurants as well as times they had been affected can be seen on the official website of Chipotle.
The company has recommended that clients scan their statements from their credit cards for possible fraudulent activity since the malware attack begin. It also said that victims should be in contact with the Federal Trade Commission, their home state attorney general or their local police.
Over the past three to four years, cyberattacks have become more commonplace due to the complex malware that hackers use today to breach security systems online.
Home Depot and Target were hit with huge attacks on their payment systems that cause large amounts of losses for credit card issuers.
The risk of having personal credit card information goes much further than just the possibility of fraudulent charges. More and more identity theft cases are being uncovered that originated from data that was sold then used or sold to third parties that used it to steal the identifies of people to gain credit at banks or other financial institutes.