Chipotle says hackers may have grabbed customers' payment card information at some 60 Minnesota restaurants, and many more nationwide.
Cyber-crooks planted malware that compromised restaurant check-out card readers, grabbing customers' names and the card numbers, expiration dates and verification codes embedded on magnetic stripes.
Chipotle has posted more information on the incident, including a list of the affected restaurants and dates of attack.
The bad news comes as the company's fortunes appear to be on the mend after high-profile food poisoning incidents that started in late 2015 hurt sales and profits.
Customers who used a payment card at an affected location during the hack should monitor for any fraud or unauthorized activity and report anything suspicious to card issuers, Chipotle said.
However, the big threat comes from criminals combining stolen personal information to get new cards, said David Robertson, who tracks the payment-card industry.
"They'll open a brand new account in your name that you don't know about," said Robertson, who publishes the Nilson Report, which follows the card and mobile payment industry. "Then they run up the entire line of credit in the first month."
Chipotle says it's working with cyber security firms to enhance its data protection. Its restaurants use swipe card readers. That can speed up service compared to chip card readers. The company says that technology does not stop malware attacks.
A company spokesman said Chipotle regrets the incident and apologizes for any inconvenience that customers may experience.