CNBC reports that the Chipotle credit card breach originally disclosed last month was a bit wider than initially reported. The network that supports payment processing for purchases at the Mexican chain restaurant also supports another company – Pizzeria Locale, which was also involved in the Chipotle credit card breach.
Chipotle’s serves a large quantity of customers very quickly, meaning that they have lots and lots of credit card data, so it only makes sense that they would be targeted by fraudsters. It remains to be seen how malware got onto their systems, but cyber criminals have been known to be very brazen when they have enough interest in a target. According to Krebs on Security, in the case of the CiCi’s Pizza breach, the perp walked right into a CiCi’s store and tricked store employees into installing the malware on their network.
CiCi’s and Chipotle, as credit card processors, were both of course “PCI-Compliant”, meaning they have met the requirements of a security framework that weak and full of holes. Like HIPPA, PCI was designed so that even small businesses with limited resources can comply. Hershey Entertainment suffered the same fate in 2015 – they were “PCI-Compliant” and suffered the consequences when they were breached. As if the fines were not bad enough, this is also horrible PR.
Still reeling from the e-coli scare, Chipotle does not want any more bad press, and is not being forthcoming with their customers, referring to this using the beat-around-the bush term “data security incident” It should say CHIPOTLE CREDIT CARD BREACH.
If you are a business like CiCi’s, Chipotle, or Hershey, PCI is nowhere near strong enough to protect your data – your security program needs to be based on a combination of NIST, ISO, and other much better security frameworks. Instead of implementing a weak framework like PCI to keep the board happy, hire a competent cyber security firm and implement a comprehensive security program designed to meet your companies needs.