Chipotle Mexican Grill today announced that it has identified the malware that was responsible for the credit card hack earlier this year. Alongside the news, it also released a new tool to help customers check whether the restaurant they visited was involved. When pressed by The Verge, Chipotle did not disclose the exact numbers of restaurants affected, but said “most” locations nationwide may have been involved.
“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device,” Chipotle said in a statement. “There is no indication that other customer information was affected.”
We browsed through the tool and found that every state Chipotle operates in had restaurants that were breached, including most major cities. The restaurants were vulnerable in various time frames between March 24th and April 18th, 2017. Chipotle also operates another chain called Pizzeria Locale, which was affected by the hack as well. (The list of identified restaurants can be found here, which includes locations in Kansas, Missouri, Colorado, and Ohio.)