May 15, 2017 | Categories: Payments Industry News Back to list

Chipotle’s Payment System Hacked

Chipotle’s Payment System Hacked

Analysts had warned that POS system hacks were going to continue, and now they have been proved correct. In late April, it was announced that Chipotle had become the latest high-profile restaurant business to have its payments system hacked, joining the likes of Arby’s, Select Restaurants and Wendy’s, who have all experienced payments system compromises recently.

The Chipotle Hack & Their Reaction

In a statement issued on April 25, Chipotle said “We recently detected unauthorized activity on the network that supports payment processing for purchases made in our restaurant.”

The restaurant chain went on to say that it is investigating transactions made between March 24 – April 18 2017. Chipotle added that it believed the steps they had taken would stop any authorized actions.

Talking further about the hack, Jack Hartung, chief financial officer for Chipotle, stated law enforcement, a cyber security company and their payment processor had teamed up to resolve the problem.

The restaurant chain then added that an investigation was ongoing and further information would be released later about the locations and dates of the potential data breach.

Customers have been told to check statements for any suspicious activity, which is the standard advice usually given following such incidents. However, at the time of writing, there weren’t any precise figures available regarding how many consumers might have been affected.

Restaurants & the Risk of Hacks

Although it will be of little comfort, Chipotle are far from alone in being targeted, and although hacks seem to have been in the news more often recently, they are not a recent concern.

A 2012 Verizon report demonstrated how restaurants are a popular target among hackers. The figures from 2012 showed that attacks on restaurants made up more than half of attacks on payment systems; a survey by Trustwave also indicated similar findings.

Restaurants are too often the focus of hackers due to the limited security some POS systems have. Unfortunately, restaurants POS systems can be easily breached because of security flaws. For example, a lot of them depend on earlier windows systems, like XP, which aren’t supported by Microsoft anymore, so no patches/updates are released to protect it from possible vulnerabilities.

Moreover, some small businesses – including restaurants –  might not always comply with PCI guidelines meaning their data is easier to compromise. Further, some small business owners don’t realize the need to change the default password, which can leave them open to data hacks.

However, there are numerous other reasons why a POS system can be at risk, including poor installation and weak network security. But perhaps most worryingly of all is that once a system has been hacked, it can go undiscovered for a long time, leaving valuable data exposed and open to exploitation.

POS Systems & Poor Password Security

While it is clear from research that the restaurant and hospitality industry is at a higher risk, all retailers using a POS system are vulnerable to such attacks; one of the main reasons is poor password security.

Security firm Rapid7 have released data that shows how too many people pick easy to guess passwords like admin or administration; these are often coupled with simplistic usernames, which are also far too easy to guess.

For improved security, passwords should consist of lower and higher case letters, numbers and symbols. If you are setting a lot of passwords, then using a password manager will allow you to generate unique, random passwords, which will be much harder to crack by criminals.

What to Do if You Get Hacked

Chipotle says it will be contacting affected consumers, but here are some general guidelines for consumers who are concerned their financial data might have been compromised.

  • Keep a closer eye on bank statements and credit reports and look for an unusual/unauthorized activity.
  • If your card has been compromised, inform your bank, cancel it and request a new one.
  • Change any passwords linked to the account and always use different passwords for different accounts.
  • If you have any additional concerns about the nature of the data stolen, speak to the company – they should supply a helpline number if you’ve been notified of a hack.

Moreover, to limit the chances of data hacks, companies are advised to conduct regular monitoring of their systems, to carry out regular testing and to have a security plan in place.

It is also essential that companies keep up with the latest security updates, use tokenization and encryption to further secure data, and if they become a victim of hack, companies should notify customers as soon as they realize

POS Security Issues

Security experts say this latest hack demonstrates just how vulnerable payments systems are to hacks and they say firms should be doing all that they can to prevent breaches. However, they also point out that even with implementing the latest in security and PCI compliance, systems can still be at risk.

Currently, damaging malware should be one of the most pressing concerns for the retail industry. Security firms have noted uptick in malware attacks, with small businesses among the worst affected, New malware is constantly being developed, and criminals are always looking for fresh ways to exploit POS systems.


Chipotle is just the latest in a long line of restaurants that have been targeted by hackers. However, retail in general has regularly come under attack from criminals who are searching for the valuable data that these companies hold.

While several well-known businesses have fallen victim to hacks, smaller businesses are often a focus of this type of crime because there is a perception that they’ll less likely to have security precautions in place.

Poor security, failure to update software, weak passwords and a lack of PCI compliance can all contribute to a hack, and companies – regardless of their size – are advised to make all the reasonable efforts they can to protect customer data and secure their payment systems.


Get In Touch

Want to improve your payment experience?
Speak with a dedicated account manager today.

This field is for validation purposes and should be left unchanged.

Ready to get started?

Get in touch or create an account

This field is for validation purposes and should be left unchanged.