A second credit union is suing Chipotle for damages related to the fast-casual restaurant company’s recent alleged data breach.
Benton, Ark.-based Alcoa Community Federal Credit Union filed a class-action suit against Chipotle on May 26 in a Colorado District Court. Similar to another class-action suit filed by Bellwether Community Credit Union on May 4, Alcoa Community’s suit said that the alleged breach compromised names, credit and debit card numbers, card expiration dates, card verification values and other information of hundreds of thousands of Chipotle customers nationwide.
Alcoa Community FCU has $43 million in assets and about 5,900 members. Manchester, N.H.-based Bellwether Community Credit Union has $488 million in assets and 34,000 members.
In its suit, Alcoa Community FCU also claimed the breach forced some credit unions and other financial institutions to cancel or reissue cards, close accounts, stop payments, block transactions, issue refunds, increase fraud monitoring efforts and deal with cardholder complaints and confusion. Affected credit unions and financial institutions also lost interest and transaction fees due to reduced card usage, and the cards and their corresponding account numbers became worthless, it added.
“The Chipotle data breach was the inevitable result of Chipotle’s inadequate data security measures and approach to data security,” Alcoa Community’s class-action complaint alleged. “Despite the well-publicized and ever-growing threat of cyber breaches involving payment card networks and systems, Chipotle systematically failed to ensure that it maintained adequate data security measures, failed to implement best practices, failed to upgrade security systems, and failed to comply with industry standards by allowing its computer and point-of-sale systems to be hacked, causing financial institutions’ payment card and customer information to be stolen.”
Alcoa Community also alleged Chipotle hasn’t implemented EMV in its stores and alluded to Chipotle’s most recent 10-K, which noted that the company experienced a possible breach back in 2004. That one cost about $4.3 million in losses and related expenses, according to Chipotle.
In an April 25 statement addressing the current breach, Chipotle said it had detected unauthorized activity on the network that supports its payment processing for purchases made in its restaurants.
“We immediately began an investigation with the help of leading cyber security firms, law enforcement, and our payment processor. We believe actions we have taken have stopped the unauthorized activity, and we have implemented additional security enhancements. Our investigation is focused on card transactions in our restaurants that occurred from March 24, 2017, through April 18, 2017. Because our investigation is continuing, complete findings are not available and it is too early to provide further details on the investigation,” it said.
In a subsequent statement, Chipotle announced that it has removed the malware.
That may not be enough for Alcoa Community FCU, according to the complaint.
“Defendant’s public statements to customers after the data breach plainly indicate that defendant believes that card-issuing institutions should be responsible for fraudulent charges on cardholder accounts resulting from the data breach,” it said. “Chipotle has made no overtures to the card-issuing institutions that are left to pay for damages as a result of the breach.”
Alcoa Community FCU’s suit is one of many that credit unions have filed against various retailers and restaurant companies over their data breaches, including Arby’s, Wendy’s, Home Depot and Target.
As of March 31, 2017, Chipotle operated over 2,200 restaurants in the United States, as well as 34 international locations. It reported $3.9 billion in revenues in 2016. Its most recent 10-K notes that 70% of its 2016 sales were attributable to credit and debit card transactions.
