On Friday, Chipotle Mexican Grill said that it has discerned new information regarding its March-April data breach at its restaurants; information which points to hackers using malware to steal customer payment information.

In the statement, Chipotle Mexican Grill says that bank account information, card expiration dates, and verification codes could all be accessed by the malware installed onto the payment car systems throughout the fast-casual dining chain over the three weeks between March 24 and April 18, affecting the vast majority of the company’s 2,249 restaurants. Chipotle also made sure to report that the malware which had breached its system has been fully removed.

A spokesperson for the company comments, “Because of the nature of the incident and the data involved, we lack sufficient information to determine how many unique payment cards may have been involved.”

In addition, Chipotle has also warned that consumers should check their credit card statements for any unauthorized activity and, of course, report such cahrges to their card issuer. The company’s statement reminds: “Payment card rules generally provide that cardholders are not responsible for unauthorized charges reported in a timely manner.”

Aite Group research and advisory firm research director Julie Conroy also comments, “If your data was stolen through a data breach that means you were somewhere out of compliance.”
And now, security analysts advise that Chipotle is likely to face a fine based on the scope of this breach and by how many records have been compromised.

“In this case, the card companies will fine Chipotle and also hold them liable for any fraud that results directly from their breach,” explains Gartner Inc vice president Avivah Litan.
The breach comes at a less-than-favorable time for Chipotle, of course, as they are still trying to dig their way out of food safety issues from 2015 which resulted in a dramatic drop in sales. The company’s efforts have been valiant, with its stock posting at $480.15 on Friday, up from $381 a share on the year, so far.