Bellwether Community Credit Union has filed a class-action lawsuit against Chipotle and is seeking damages related to the fast-casual restaurant company's recent data security breach, according to documents filed in a Colorado District Court on May 4. The suit is the latest in a chain of class-action complaints filed against retailers and restaurant companies, such as Arby's, Wendy's, Home Depot and Target.
The complaint alleges the breach compromised names, credit and debit card numbers, card expiration dates, card verification values and other information of Chipotle customers nationwide. It also said the breach forced credit union and other financial institutions to cancel or reissue cards, close accounts, stop payments, block transactions, issue refunds, increase fraud monitoring efforts and deal with cardholder complaints and confusion. Credit unions and financial institutions also lost interest and transaction fees due to reduced card usage, and the cards and their corresponding account numbers became worthless, it added.
“Though an investigation is still ongoing, it appears that hundreds of thousands of defendant's customers at locations nationwide have had their credit and debit numbers compromised, have had their privacy rights violated, have been exposed to the risk of fraud and identify theft, and have otherwise suffered damages,” the complaint alleged.
Manchester, N.H.-based Bellwether Community Credit Union, which has $488 million in assets and 34,000 members, said the breach's damages exceed $5 million and involve at least 100 financial institutions.
The suit also claims that, among other things, Chipotle failed to ensure it maintained adequate security measures, didn't use best practices and didn't upgrade its security systems. Bellwether also alleged that Chipotle hasn't implemented EMV in its stores.
Chipotle's most recent 10-K noted that the company experienced a possible breach in 2004. That one cost about $4.3 million in losses and related expenses, it reported.
“Despite its 2004 data breach, Chipotle quite obviously failed to upgrade its data security systems in a meaningful way so as to prevent future breaches,” the complaint said.
“Defendant's public statements to customers after the data breach plainly indicate that defendant believes that card-issuing institutions should be responsible for fraudulent charges on cardholder accounts resulting from the data breach. Chipotle has made no overtures to the card-issuing institutions that are left to pay for damages as a result of the breach,” the complaint added.
In an April 25 statement addressing the breach, Chipotle said it had detected unauthorized activity on the network that supports its payment processing for purchases made in its restaurants.
“We immediately began an investigation with the help of leading cyber security firms, law enforcement, and our payment processor. We believe actions we have taken have stopped the unauthorized activity, and we have implemented additional security enhancements. Our investigation is focused on card transactions in our restaurants that occurred from March 24, 2017 through April 18, 2017. Because our investigation is continuing, complete findings are not available and it is too early to provide further details on the investigation,” it said.
Bellwether Community Credit Union Credit Union asked the court to, among other things, require Chipotle to use industry standard encryption of cardholder data at the point of sale, implement EMV technology, use third-party auditors to test its systems for weakness, train data security personnel about how to respond to a data breach and install manufacturer-recommended upgrades to its security software and firewalls.
As of March 31, 2017, Chipotle operated over 2,200 restaurants in the United States, as well as 34 international locations. It reported $3.9 billion in revenues in 2016. Its most recent 10-K notes that 70% of its 2016 sales were attributable to credit and debit card transactions.
“The risk of another such breach is real, immediate, and substantial,” the complaint said. “If another massive data breach occurs at Chipotle, plaintiff and members of the class will likely incur hundreds of millions of dollars in damage.”
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
- Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
