Popular Mexican food chain Chipotle announced Friday that sensitive financial information of some customers was breached after detecting “unauthorized activity” on a payment network last month.
The sensitive information obtained by the hackers includes cardholder names, card numbers, expiration dates and security codes of Chipotle and Pizzeria Locale customers. Fifteen Chipotle locations in the San Diego area were affected.
Chipotle isn’t the first target of a massive cyberattack, and likely won’t be the last. A local cybersecurity CEO told NBC 7 that these kinds of attacks are on the rise because credit card and other sensitive customer information is increasing in value.
“The data are much more valuable now,” Ford Winslow, CEO of ICE Cybersecurity said. “Credit card information can be sold from one cybercriminal to another cybercriminal without ever stealing your money.”
Chipotle detailed the hacking method in a online release as malware designed to pull payment card data from cards used at point-of-sale machines. The company said the malware was removed and that they are working with cybersecurity firms continually to “enhance our security measures.”
The malware attack is part of what Winslow described as a “new wave of cybercrime,” and “big business,” for hackers.
As for Chipotle customers fearful that their financial information may be at risk, Winslow said monitoring your accounts is all you can do.
“Monitor your bank accounts, change your passwords, make sure you’re using passwords on your phone and monitor your credit reports,” Winslow said. “Those are things you should be doing anyway.”
Winslow said that the attack on Chipotle should also open the eyes of businesses and employees, not just customers, to the risks of cybercrime and ways to guard against it.
“It’s not just your I.T. security department that needs to be concerned, but every individual within a company needs to be diligent about what you click on,” Winslow said.
“One thing about this attack that could have helped is an active phishing campaign,” Winslow added. “That’s where the company sends out emails like this to employees to see who’s going to click on something. That has proven to be very effective in stopping these types of attacks.”
To keep his own personal information safe, Winslow said he only makes purchases at retail establishments on a credit card that he replaces every three months.