Chipotle Discloses Data Breach Impacting Employee PII On December 23, 2025, Chipotle Mexican Grill reported a data breach exposing the personally identifiable information (PII) of current and former employees. The incident, currently under investigation, has affected at least 31 individuals in Maine and two in New Hampshire, though the total number of impacted employees may rise. The breach occurred between October 9 and October 26, 2025, when an unauthorized threat actor accessed Chipotle’s Workday employee profiles. By November 7, the company confirmed that sensitive data—including Social Security numbers, dates of birth, bank account numbers, and routing numbers—had been compromised. The exposed information heightens risks of identity theft and financial fraud. Unlike a broader Workday system compromise, this breach targeted Chipotle’s specific instance, likely through phishing or social engineering tactics. Similar attacks have been observed across other companies, where threat actors hijack payroll accounts to redirect direct deposit payments. Chipotle notified the Attorney Generals’ offices in New Hampshire, Massachusetts, and Vermont on December 23 and began mailing notifications to affected individuals. The company has also engaged Kroll to provide complimentary identity monitoring services for those impacted. A dedicated call center (844-574-1154) was established for inquiries.

The Washington State Office of the Attorney General reported that Messner Reeves LLP, on behalf of Chipotle Mexican Grill, Inc., experienced a ransomware cyberattack occurring between July 17 and August 5, 2023. Approximately 678 Washington residents were affected, and the exposed information included names and full dates of birth. Notifications were sent out on May 24, 2024.

The Chipotle Mexican Grill experienced a significant cybersecurity incident that was part of a broader series of attacks attributed to the cybercriminal group known as FIN7. Over the course of their operations in the United States, FIN7 breached the computer networks of companies across 47 states and the District of Columbia, managing to steal more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. These attacks not only targeted Chipotle but also other well-known chains including Chili’s, Arby’s, and Jason’s Deli, highlighting the widespread impact of FIN7’s activities. Additionally, the Emerald Queen Casino in Western Washington was among the targeted local businesses, demonstrating the group's reach beyond the food industry. The breaches led to the compromise of vast amounts of customer data, causing severe damages to the company's reputation and potentially its finances due to the theft of customer financial information.

The Maine Office of the Attorney General reported a data breach involving Chipotle Mexican Grill on October 29, 2020, following unauthorized access to employee email accounts from January 19 to January 21, 2020. The breach potentially affected 5,440 individuals, including 19 Maine residents whose Social Security numbers were compromised. Chipotle is offering affected individuals a complimentary one-year membership in identity theft protection services through Experian.

In a sophisticated cyber-attack led by the group Fin7 using the Carbanak malware, Chipotle Mexican Grill suffered a significant data breach affecting numerous U.S. locations. The attackers managed to steal the details of 15 million payment cards by compromising the restaurant chain's payment systems. The method involved carefully planned intrusions leveraging malicious documents to install the Carbanak banking Trojan, which allowed them to manipulate point-of-sale systems and harvest financial data over a period of months. This breach was part of a larger series of attacks attributed to Fin7, which targeted over 120 U.S. companies, resulting in substantial financial and reputational damage. Despite arrests made in connection to the Fin7 group, the impact of the breach on Chipotle and its customers highlights the ongoing vulnerability of retail and food service industries to sophisticated cybercriminal operations.

Chipotle Mexican Grill detected a data security breach in this they found unauthorized activity on their network that supports payment processing for purchases made in their restaurants. They advised customers to keep a watchful eye on their credit card bills. Anyone who discovers fraudulent charges was urged to alert their bank.

The California Office of the Attorney General reported a data breach involving Chipotle Mexican Grill, Inc. on May 26, 2017. The breach involved malware targeting payment card data at point-of-sale devices from March 24, 2017, to April 18, 2017, potentially affecting customers' cardholder names, card numbers, expiration dates, and internal verification codes. The number of individuals affected is UNKN.