u.s. district court of colorado

Class-action suit filed alleging Chipotle’s ‘elementary’ security, negligence led to data breach

DENVER – Chipotle faces a class-action lawsuit for the potential data breach the company first reported last month, alleging the company’s willful negligence and “elementary” security measures led to the breach and is now costing banks and customers money.

The Denver-based company first reported the possible breach late last month, saying that credit and debit cards used between March 24 and April 18 of this year may have been compromised by “unauthorized activity” on company servers.

“Consistent with good practices, consumer should closely monitor their payment card statements. If anyone sees an unauthorized charge, they should immediately notify the bank that issued the card,” the company said in its statement. “Payment card network rules generally state that cardholders are not responsible for such charges.”

And that statement is exactly what the lawsuit filed May 4 in the U.S. District Court of Colorado claims is the basis for the suit.

The suit’s class has yet to be certified, but it was filed by New Hampshire-based Bellwether Community Credit Union on the behalf of all “credit unions, banks, and other financial institutions” they may have had to reissue customers’ cards that were compromised in the breach, close compromised accounts, or remedy any false transactions.

The suit claims that there are more than 100 members of the proposed class, and that alleged damages exceed $5 million.

Though it’s still unclear how many customers may have been affected in the alleged breach, the suit claims that the company knew it was putting itself at risk for further security breaches after a 2004 breach and a handful of recent ones involving other food-service companies.

“The deficiencies in Chipotle’s security system include a lack of elementary security measures, which even the most inexperienced IT professional could identify as problematic,” the suit says.

It claims that the company, which had around 2,250 U.S. locations as of March 31, failed to upgrade its security after a breach the company says cost it about $4.3 million between 2004 and 2006.

The suit also cites Chipotle’s February 2017 annual report to the U.S. Securities and Exchange Commission (SEC), in which the company itself said:

“We may in the future become subject to additional claims for purportedly fraudulent transactions arising out of the actual or alleged theft of credit or debit card information, and we may also be subject to lawsuits or other proceedings in the future relating to these types of incidents … Consumer perception of our brand could also be negatively affected by these events, which could further adversely affect our results and prospects.

“The liabilities resulting from any of the foregoing would likely be far greater than the losses we recorded in connection with the data breach incident in 2004.”

The suit claims that one of the biggest problems that led to the hacking was Chipotle’s failure to adhere to credit card companies’ regulations that required companies to start using chip technology by October 2015.

The chips mask information contained within transactions about credit card information, unlike the former magnetic strip cards.

But the suit claims that Chipotle stated specifically that it would not switch over to the chip-only system because it would “slow down customer lines.”

By doing so, the company opened itself up to face damages from litigation, as per the regulations set forth by the card companies that said that any business not adhering to the October 2015 deadline would “agree to be liable for damages resulting from any data breaches,” according to the lawsuit.

The suit says that Chipotle has said that 70 percent of its sales involved a debit or credit card transaction, and estimates that “hundreds of thousands” of Chipotle customers could have had their private credit and debit card numbers, and information relating to them, compromised.

Since the burden is on banks to close accounts and reissue new cards, the suit claims that any bank having to do so because of the Chipotle breach is damaged by the breach and subject to compensation.

The class, should it be certified, requests damages and injunctive and declaratory relief on the basis that Chipotle was negligent in its failure to upgrade its security systems for transactions and data storage.

It asks a judge to issue an injunction forcing Chipotle to adhere to industry-standard encryption methods, switch to chip-card readers, and undergo a large audit and subsequent upgrade of its security systems.

A request for comment made to Chipotle had not been returned as of the time of publishing.

A scheduling conference for the case has been set for July 18 in Denver.