Chipotle’s Very Bad Year

Chipotle has certainly had a rough couple of years.  First, in 2015, they were linked to outbreaks of E. coli, salmonella and norovirus, which affected hundreds of people.  Not surprisingly, sales steadily dropped for a time after that.

Now, just when it looked like that trend would experience a positive reversal, the chain gets hit with a data breach.  Between March 24 and April 18, hackers hit Chipotle’s Point-of-Sale devices with malware, carrying out an attack that compromised payment data from most of its 2,250 restaurants.  According to Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse, the information, lifted from the cards’ magnetic stripes, could help drain debit-linked bank accounts or counterfeit credit cards.

Unfortunately for Chipotle, they stumbled right out of the gate with this incident.  Since the restaurants don’t take customers’ names or contact information upon purchase, there was seemingly no way to reach out directly to every potential breach victim.  Chipotle instead relied on website announcements and news releases, hoping anybody affected would take notice.  A concrete method of alerting your customers to danger and potential fraud, this is not.  A good way to leave yourself open to fines, however, it just might be.

If that happens, Chipotle would be in a similar boat as Target, which recently settled claims totaling $18.5 million stemming from their 2013 mega breach.

Implicated nevertheless by the breach is the conclusion that many still lack sufficient compliance with data security standards—otherwise this wouldn’t have happened, implies Julie Conroy, research director at research and advisory firm Aite Group.  Rather than mere intransigence, though, other evidence suggests that security officers are often just overwhelmed, or incapable of addressing the issues as things stand.  This stems from a global survey by IT vendor SecurityNow, which finds a vast majority of CISOs (out of 300) reporting that not all detected breaches get dealt with, and that prioritizing threats remains a challenge.  Along with these factors, shortcomings in expertise, the difficulties of manual processes, and a spending focus on detection and prevention—all of these hamper the ability of a company to respond effectively to an incident.  Most concerning to me is the 7% statistic, representing the CISOs who think their employees are unable to prioritize those threats.

More than one in 10, meanwhile, reported a financially and reputationally damaging security incident within the last few years.  This figure is only going to swell as hacker strategies grow more creative and intricate, especially if CISOs aren’t given the tools and resources to ensure maximum safety for their company’s data.  Well, hopefully they will at least effectively notify their customers when a breach occurs.