In its Form 10-Q dated April 25, 2017 for the quarterly period that ended on March 31, 2017, Chipotle Mexican Grill, Inc. announced that it had detected a data security breach in its electronic processing and transmission of confidential customer and employee information.  Specifically, Chipotle’s information security team detected unauthorized activity on the network that supports payment processing for its restaurants in April 2017.  Chipotle reported that it immediately began an investigation with the help of leading computer security firms, and self-reported the issue to payment card processors and law enforcement agencies.  Chipotle stated that its investigation, which is ongoing, is focused on card transactions at its restaurants that occurred from March 24 through April 18, 2017.  

Chipotle stated that 70% of its sales in 2016 were attributable to credit and debit card transactions – meaning that the extent of the breach could be quite large. Chipotle also stated that it plans to provide notification to affected customers once it obtains more details about “the specific timeframes and restaurant locations that may have been affected.” 

Chipotle disclosed that as a result of the breach, the company could be “subject to lawsuits or other proceedings in the future relating to this incident or any future incidents in which payment card data may have been compromised.  Proceedings related to theft of credit or debit card information may be brought by payment card providers, banks and credit unions that issue cards, cardholders (either individually or as part of a class action lawsuit), or federal and state regulators.”  Chipotle added that “any such proceedings could distract our management from running our business and cause us to incur significant unplanned losses and expenses.” 

In response to the breach, Chipotle noted that it has implemented additional security enhancements and “will continue to work vigilantly to pursue this matter to resolution.”  

Chipotle has set up a web page to provide updates on the breach, and it has recommended that consumers monitor their payment card statements and notify the bank that issued the card if they see unauthorized charges.  Chipotle wrote on its web page that payment card network rules state that cardholders are not responsible for unauthorized charges.