Most of Chipotle’s 2,250 restaurants, including its San Diego State location, were affected in a nationwide security breach, the company said in a statement May 26.
The company said malware designed to access payment card data affected restaurants between March 24 and April 18.
The malware searched for track data, which sometimes includes a cardholder’s name in addition to the card’s number, expiration date and internal verification code, the statement said.
“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures,” the company’s statement said. “In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”
The statement advised customers to immediately report any unauthorized charges to their payment cards.
The company said the statement was released at the conclusion of an investigation into the breach. Chipotle first reported knowledge of the hack on April 25.
A representative from the company was unable to be immediately reached for comment.