Chipotle Class Action Alleges Failure to Safeguard Customer Info

Chipotle Mexican Grill Inc. is facing a class action lawsuit accusing it of failing to safeguard its customers’ payment card information, leading to the compromise of this data in a data breach earlier this year.

Around March 24, 2017, Chipotle’s point-of-sale systems were reportedly targeted by hackers who used malicious software to steal customers’ private information, according to the data breach class action lawsuit.

The malware was reportedly installed in a majority of Chipotle restaurant locations through April 18. Chipotle confirmed the data breach on April 25, according to the Chipotle class action lawsuit.

“Defendant’s security protocols were so deficient that the Data Breach continued for over three weeks while Defendant failed to even detect it—this despite widespread knowledge of the malicious software (or malware) used to perpetrate the Data Breach, which, upon information and belief, was similar to the malware used to perpetrate the earlier, notorious, and widely reported data breaches affecting retailers Target and Home Depot,” plaintiff Kristin Baker alleges in the Chipotle class action lawsuit.

Although Chipotle has indicated that it does not know the total number of customers affected by the data breach, Baker estimates the number of potential Class Members could be in the tens of millions.

Baker argues that Chipotle could have prevented the data breach, especially because the malware used to target point-of-sale systems was similar to the malware used in the Home Depot and Target data breaches. According to the Chipotle data breach class action lawsuit, the Mexican food chain failed to adopt technology that makes transactions more secure.

According to the data breach class action lawsuit, Chipotle’s failure to “take reasonable measures to ensure its data systems were protected” and its failure to take steps to prevent the data breach from happening made customers’ information vulnerable to hackers.

Baker says she would not have made a purchase at a Chipotle restaurant, or would not have paid as much for her purchase, if she had known the restaurant chain failed to take precautions necessary to safeguard her personal and financial data.

The Chipotle data breach class action lawsuit alleges the restaurant chain failed to keep customers’ personal identification information, such as cardholders’ names and mailing addresses, separate from their payment card data, contrary to the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is designed to ensure companies protect cardholder data.

Personal identification information and payment card information is extremely valuable to hackers because it can be sold on the black market. The information can be purchased and used by criminals to perpetrate fraud, identity theft, or other crimes that harm victims. Baker asserts that these effects can be quite damaging, and harm a person’s credit score, job prospects and ability to obtain government benefits. Some criminal activity related to a data breach may not come to light for years.

“Plaintiff and Class members now face years of constant surveillance of their financial and personal records, monitoring, and loss of rights,” Baker says in the Chipotle class action lawsuit.

The Chipotle data breach class action lawsuit asserts violations of the California Customer Records Act, breach of implied contract and violation of the California Unfair Competition Law. Baker seeks injunctive relief, restitution, disgorgement of revenues, actual damages, compensatory damages, statutory damages, attorneys’ fees and costs, and other relief the court deems proper.

Baker is represented by Tina Wolfson of Ahdoot & Wolfson PC and Cornelius P. Dukelow of Abington Cole + Ellery.

The Chipotle Data Breach Class Action Lawsuit is Kristin Baker v. Chipotle Mexican Grill Inc., Case No. 5:17-cv-01134, in the U.S. District Court for the Central District of California.

UPDATE: The Chipotle Data Breach Class Action Lawsuit was voluntarily dismissed on July 5, 2017. Top Class Actions will let our viewers know if an amended complaint is filed.