The complaint for this class action alleges when hackers accessed the point-of-sale systems at Chipotle locations throughout the US, customers and victims didn’t hear anything about the data theft for a month. The complaint further claims that these data breaches were caused by Chipotle’s failure to adequately secure Payment Card Data (PCD) as well as other Personally Identifiable Information (PII). These failiures, the complaint says, violate California law as well as other laws that cover breach of contract.
Two classes exist for this action. The national class consists of all persons living in the US whose personal and/or financial information was exposed in the data breach. The California class consists of all persons living in California whose personal and/or financial information was exposed in the data breach.
According to the complaint, on or about March 24, 2017, hackers accessed point of service (POS) systems at Chipotle stores throughout the US and stole customer information. Chipotle admits that the hackers maintained their access to the majority, if not all, of Chipotle’s locations through April 18, 2017. Chipotle confirmed the breach of information only on or about April 25, 2017.
The complaint alleges that security measures were so poor that the data breach was allowed to continue for over three weeks before Chipotle even detected it. Even by May 27, spokesperson Chris Arnold said that Chipotle did not know how many payment cards or customers at its 2,250 restaurants were involved in the breach.
According to the complaint, the hackers used similar malware to that used in earlier data breaches at Target and Home Depot. While many businesses have adopted technology to make information more secure after these breaches, the complaint says, Chipotle has not, thus violating customers’ expectations that the business will have state-of-the-art security practices.
Unlike PII, PCD is heavily regulated. The Payment Card Industry Security Standard sets requirements for safeguarding payment card information. While they don’t require that personal information be segregated from other information, it is recommended, because PII can be very useful in perpetrating larger frauds. According to the complaint, Chipotle failed to keep data segregated in this way and has still not disclosed how the breach occurred or the types of PII or PCD information stolen during it.
The Federal Trade Commission estimates that 10 million Americans may have their identities stolen each year, and that identity thieves can “drain your bank account, run up your credit cards, open new utility accounts, or get medical treatment on your health insurance.” Further, personal information can be used for fraudulent purposes such as immigration fraud, obtaining a driver’s license in the victim’s name, using the victim’s information to obtain government benefits, or filing tax returns in the victim’s name to obtain a fraudulent refund. Some of these frauds may not become known for years.