The Inside Scoop: Chipotle’s Big Burrito Breach – Malware with a Side of Chips

It’s been a rough year for Chipotle. With rats literally falling from the ceiling in Dallas, Texas and norovirus outbreaks in Sterling, Virginia, it seems like things couldn’t get much worse for the fast-casual Mexican restaurant.

Too bad that rodents and food poisoning aren’t even the greatest threats facing Chipotle’s customers. Thousands of unsuspecting diners recently received a free side of cyber terror thanks to point-of-sale malware, a malicious software designed to steal customer payment data.

The malware struck Chipotle restaurants nationwide between March 24 and April 18, 2017. Approximately 190 Chipotle restaurants were hacked in the District of Columbia, Maryland, and Virginia alone. So how did the hackers do it?

And what could Chipotle, its partners, and prospective partners have done to get in front of the attack in the first place?

Get data on Chipotle, cyber security companies – and hundreds of thousands of others.

The Inside Scoop: Keeping your finger on the pulse

Chipotle’s malware attack was unfortunate. It may have come as a surprise to the many die-hard fans of the fresh-Mex chain; but for those in the know, it was only a matter of time.

DiscoverOrg’s Triggers alert users to the story, which spans three years:

Chipotle Triggers indicate security breach is imminent

  1. 10/9/2014: DiscoverOrg first Triggered security issues at Chipotle in 2014: Chipotle Mexican Grill is in the midst of integrating Okta identity management into the company’s Workday platform for over 50,000 users.
  2. 2/9/2015: Just four months later, a hacker gained access to the company’s Twitter page and wreaked havoc.
  3. And a week later: (2/16/2015) Chipotle Mexican Grill is currently experiencing pain in relation to information security following a recent breach that compromised the company’s website, redirecting visitors or loading malicious code onto their computers.
  4. The following year, the company was still struggling with security issues: Chipotle Mexican Grill is currently seeking a Manager, IT Operations Services; this position is responsible for overseeing the company’s corporate and restaurant support teams in the provision of support for servers, networks, security, applications, and corporate systems. (4/22/2015)
  5. (10/26/2015) The company’s focus was still security: Chipotle Mexican Grill sources indicate that the company is planning implementations of new security applications. Nick Jones currently serves as IT Production Security Analyst.
  6. And by the beginning of 2017: Chipotle Mexican Grill sources have indicated plans for upcoming IT initiatives related to the creation of a security operations center organization. Chipotle is expected to partner with vendors to support these efforts. (1/17/2017)
  7. (1/17/2017) Chipotle Mexican Grill is currently seeking a Manager, IT Security Operations; this position is responsible for operating a security operations center and improving security processes, as well as managing the company’s virus scanning, rogue host detection, virus scanning, SIEM, and file integrity monitoring tools.

DiscoverOrg's Chipotle OppAlerts

The following month, DiscoverOrg issued this OppAlert – triggered at the exact moment the company’s most active content consumer is actively researching a specific topic, from tortilla chips to credit card chips (and before they ever reach out or visit the website).

In February of 2017, this OppAlert indicated someone working in Network Security had just one thing on their mind: Intrusion detection.

Triggers and OppAlerts can be customized to align with a very granular Ideal Customer Profile.

Point-of-sale malware – and how to prevent it

So how can consumers prevent this type of attack?

Point-of-sale (PoS) malware attacks are fairly common, and they’re a popular method for hackers who want debit and credit card information. The hacker has two options; they can either infiltrate the databases where the data is stored, or they can invade the data at the point-of-sale. Hackers may also attempt a third, albeit less common method, which involves physically planting additional hardware onto the store’s card reader.

If the point-of-sale card breach is successful, the hacker will soon have access to the cardholder’s full name, card number, card expiration date, and the internal verification code.

The only way to resolve this as a cardholder is to call the bank and have them issue an entirely new card with a security chip. Yes, this does mean that you’ll need to update your Spotify and Uber payment information, but better inconvenienced than bankrupted.

That chip is a part of something called EMV technology, specifically designed to prevent these point-of-sale hacks and to keep accounts safe. In a nutshell, the chip inside these new cards creates a unique code that can only be used once. When inserted into the payment portal, the chip sends its code to the issuing financial institution, who then verifies it, authorizing the transaction for completion.

So what can you do, as a consumer, to keep yourself safe from point-of-sale hacks?

If you have the option, always insert your chip into the reader. It takes approximately one lifetime to process, but it will keep your account safer. Additionally, if you have any ancient plastic that has yet to be upgraded, call your bank and have them switch out those cards to chip technology. It’s free, I promise.

A customer-first approach

Chipotle’s three-year saga presented multiple opportunities to vendors hoping to sell to the company.

Merchant services could have promoted cutting-edge, preventative solutions to customers. Security solutions might have helped the embattled company avoid future hacks. A PR firm may have been welcome as well.

Research shows that the first seller in the door wins the business over 60% of the time. It’s always an advantage to get the inside scoop.

Winning business is everyone’s goal, but knowing what’s important to your prospects translates to money saved, attacks thwarted, and disasters averted.

Look for Chipotle – and a host of cyber security companies – in DiscoverOrg’s platform.

Note: Writer and content strategist Jeffrey Harvey cowrote this piece. Based in Washington, DC, Jeff’s experience includes broadcasting, strategic communications, PR, marketing, and media analysis. He has written prolifically on subjects including technology, healthcare, and arts and entertainment. His original one act play, Coffee, won a staged reading at the Kennedy Center in the Source Theater Festival.

Danielle Cole

Danielle is a Research Analyst on the Survey Operations and Analytics Team at RainKing Solutions. Before joining ..read more