Close Menu
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Facebook X (Twitter) LinkedIn
Facebook X (Twitter) LinkedIn
Information Security BuzzInformation Security Buzz
  • Home
  • Articles
    • Attacks
      • BEC
      • Data Breach
      • DDoS
      • Evasion Attacks
      • Injection
      • Malware
      • MITM
      • Phishing
      • Ransomware
      • RCE
      • Social Engineering
      • Spoofing
      • Spyware
    • Business and Policy
      • BCP and DRP
      • GRC
      • Regulations
    • Data Protection
      • DLP
      • DRM
      • Encryption
      • IAM
    • Future, Trends and Insight
      • AI
      • Events & Community
      • Emerging Tech
      • Expert Panel
      • Interviews With Experts
      • Insights
      • Study & Research
    • Resources
      • Guides
      • Tools
      • Training & Education
    • Security
      • API
      • Apps
      • Cloud
      • Critical Infrastructure
      • Endpoint
      • Hardware
      • IoT
      • Mobile
      • Network
      • OT
      • Port Security
      • Security Architecture
      • Software Development
      • Supply Chain
      • Zero Trust
    • Threats and Vulnerabilities
      • Emerging Threats
      • Insider Threats
      • Risk Management
      • Threat Intelligence
      • Zero Day
  • News and Exclusives
    • Latest News
    • ISB Exclusive
    • Positive News
  • Who We Are
    • About Us
    • Information Security Buzz Expert Panel​
    • Write for Us
    • Media Pack
  • Contact Us
  • Newsletter
Subscribe
Information Security BuzzInformation Security Buzz
Home - News & Analysis - Chipotle’s Payment System Hacked
News & Analysis

Chipotle’s Payment System Hacked

ISBuzz TeamBy ISBuzz TeamApril 27, 20175 Mins Read
Share LinkedIn Twitter Facebook Copy Link Email
Share
Facebook Twitter LinkedIn Email Copy Link
Quick AI Summary
ChatGPTClaudeGeminiGrokPerplexityDeepSeekCopilot

Following the news that Chipotle Mexican Grill’s payment processing system have reportedly been hacked, IT security specialists from Tripwire, AlienVault, McAfee and Balabit commented below.

Tim Erlin, VP at Tripwire:

tim_erlin“While we may have become numb to these breaches, criminals continue to target point of sale terminals.  As long as compromised credit card data continues to be a valuable commodity on the black market, any company collecting or processing valid credit card information will continue to be a high value target. Organizations from fast food chains to clothing stores should pay attention to the lessons learned, not just from how criminals are getting in, but also from how compromised companies are handling the incident response to such events.

The best advice for companies running point of sale systems is to isolate and lock down the devices as much as possible.  Point of sale terminals are typically low change environment. Implementing security configurations and closely monitoring for any change can both prevent and detect any potential attacks.  These systems should talk to predictable destinations both internally on the network as well as externally on the Internet.  Carefully monitoring communications for anomalies can help identify successful attacks.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“The attack against the payment systems highlights that even with PCI DSS controls in place to segment and protect payment networks, companies need to remain vigilant against attacks and have broad monitoring and threat detection capabilities in place that can alert to an attack in a timely manner so that the appropriate response may be taken.”

Raj Samani, Chief Scientist at McAfee:

raj_samani“The news that Chipotle’s payment system has been hacked is a further reminder that all types of businesses where transactions are made, are a potential target for increasingly clever cyber criminals. Whilst it is still unclear how many customers and restaurants were hacked, it is imperative that businesses need to take control of their cyber security and introduce efficient security measures long before these hacks actually happen.

“Many customers across the US, Canada and UK will be left wondering today if they have been caught up in this hack and whether or not they have purchased a very expensive burrito. Until Chipotle release additional information, customers will be unsure whether they have been targeted and if their data of money is the hands of criminals. Businesses cannot afford to dismiss cyber security as a problem solely for the IT department. The financial future of a business – or that of its customers – can hinge upon the security of in-store payment methods.”

Sándor Bálint, Security Lead for Applied Data Science at Balabit:

Sandor Balint“This incident is a reminder of the fundamental problem about credit card payments –  that they’re the source of a host of security issues and very difficult and costly to secure. The problem is that a sequence of characters – the card number – is used as an identifier, but this same sequence (when combined with the expiration date and the card security number) is sufficient to make financial transactions on behalf of the cardholder, therefore the ‘known’ number is also treated as a secret.

“Interestingly, while issuing banks expect cardholders to keep the number a secret, by definition they must share it as an identifier with a number of people and organizations (many of whom they’ll never meet) in order to make card transactions. Once shared as an identifier, the card number passes through many hands in the payment system, and the chain is only as strong as its weakest link. Much of the burden of trying to protect this “confidential identifier that’s also meant for sharing” is pushed to merchants and payment service providers, who are challenged with dealing with this fundamental architectural flaw.

“Anyone who has ever read through the Payment Card Industry Data Security Standard (or PCI DSS), the security requirements for merchants and payment processors that’s used by all major card brands, knows that compliance with all of the requirements is a tall and costly order.

“It’s been said that when it comes to protecting credit card information, cardholder data should be treated like nuclear waste, and the goal should be to minimize the number of people in an organization that ‘glow in the dark.’ In other words, processing, storing and handling this data should be kept to the absolute minimum (perhaps to the point of considering outsourcing it entirely), and the number of people who have access to this data should be as low as possible. This way, the scope of the people and systems dealing with this data (defined as the CDE, or cardholder data environment) can be minimized, greatly reducing the costs of compliance with the PCI DSS.

“Even with the best intentions, and with robust controls in place, breaches may not be entirely preventable. And here, another security principle comes into play: usually preventive controls are best, but a combination of detective and corrective controls should be employed. That’s why the PCI DSS has an entire chapter of requirements devoted to monitoring and testing.

“When it comes to monitoring, the effectiveness of the control depends on the coverage and depth of information gathered, the type of analysis that takes place, and the corrective processes that are triggered – ideally automatically – to respond to detected irregularities. For detective and corrective actions, time is a crucial factor: how long does it take from incident to detection, and from detection to relevant corrective action? If we can’t prevent something but we react almost immediately when it happens, we can greatly reduce any damage that can be done. Therefore, shortening that interval between detection and response should be the goal – the right tools for data collection and analysis can offer dramatic improvements and increased security.”

ISBuzz Team
  • ISBuzz Team
    Air Canada Data Breach: BianLian Extortion Group Claims A Massive Heist Contrary To Airline’s Earlier Statement
  • ISBuzz Team
    Unprecedented DDoS Attack Rocks The Web: Tech Giants Reveal A Digital Tsunami
  • ISBuzz Team
    CISA Flags High-Severity Adobe Acrobat Reader Flaw Amid Active Exploits
  • ISBuzz Team
    Curl Security Alert: Patching A Critical Bug Averting Potential Cyber Catastrophe

The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.

Share. Facebook Twitter LinkedIn Email Copy Link

Related Posts

The Real Cost of Inconsistent Third-Party Access

December 18, 20255 Mins Read

What Happens When Devices Cross Borders? The Role of Geofencing in Global IT

August 7, 20256 Mins Read

The Evolving Importance of Identity Governance in FinTech

July 10, 20258 Mins Read
ISB-Bora-Side-Bar

 
ISB-Bora-Side-Bar
Black ISB Logo

Information Security Buzz is an independent resource that provides the experts’ comments, analysis, and opinion on the latest Cybersecurity news and topics

X (Twitter) LinkedIn Facebook RSS

Working With Us

  • About Us
  • Advertise With Us
  • Contact Us

Write For Us

  • How To Contribute

The Pages

  • Privacy Policy
  • Cookie Policy
  • AI Policy
  • Terms & Conditions
  • Copyright Notice

Information Security Buzz and all its contents are copyright © 2014-2025. All rights reserved. All third-party trademarks are recognized.

Type above and press Enter to search. Press Esc to cancel.

Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}