What Small Business Owners Can Learn from Chipotle’s Data Breach


Chipotle is no stranger to the public spotlight. The popular food chain spent the past eighteen months trying to rebuild trust with their customers after a series of food safety scares, including an E. Coli outbreak. Just when they were starting to see their bottom line move in a positive direction, Chipotle has once again made headlines.

On Tuesday, April 25, 2017, Chipotle released a statement on their website notifying customers of a potential data breach. According to their official statement,

“We want to make our customers aware that we recently detected unauthorized activity on the network that supports payment processing for purchases made in our restaurants.”

They go on to encourage customers to review their credit card statements for any suspicious behavior. Those that need to be concerned include customers that purchased food using a credit card at one of their locations between March 24, 2017, through April 18, 2017. The biggest concern these customers face is that a hacker potentially stole their credit card information.

What happens in the event of a data breach?

When a business faces a potential data breach, there are steps they have to take to protect their business and their customers. Every incident begins with an investigation, which is the step Chipotle addressed in Tuesday’s statement. A cyber breach task force is created to comb through suspicious activity and uncover what information a hacker accessed or compromised. Currently, Chipotle is working with law enforcement, cyber security firms, and the payment processor to better understand the suspicious activity.

Customers can expect Chipotle to release more information when they uncover what occurred. Chipotle is required by law to notify all customers whose information is compromised as well as provide twelve months of credit monitoring to prevent identity theft.

How does the data breach impact Chipotle?

For a business that was trying to pull themselves up after a 95% drop in net income last year, this data breach won’t help their reputation. But, Chipotle is not the first corporate organization to experience a data breach nightmare. Target, Sony, and Arby’s have all been victims of data breaches, and each of these businesses suffered financial damage afterward.

Chipotle can expect to pay if they confirm a data breach did occur. A recent survey reveals that the average cost per compromised record is $158. When you consider that Chipotle serves approximately 750,000 customers per day and the breach occurred over a 26 day period, that’s potentially 31 million customer records or $5 billion.

The role of cyber liability insurance

Cyber liability insurance continues to grow in popularity with the rise in breaches. It makes sense. Having cyber liability insurance in place is the only way most companies survive the aftermath of a data breach. Cyber liability policies include coverage for data breaches, media liability, network failure, extortion, mandatory reporting costs, and regulatory fines. In most cases, the reporting and regulatory fines coverage is a sublimit of the overall policy limits. If a company suffers a $3 million data breach but only has $1 million in coverage, they will still be responsible for the difference; a lesson Target learned the hard way.

Small businesses often think they aren’t at risk for a data breach, but they face an even bigger risk than their large counterparts – minimal financial resources. Businesses like Chipotle and Target have the ability to bounce back after data breaches, but the majority of smaller businesses risk closing their doors within six months of a data breach.

What can a small business do to protect themselves?

Now is as good a time as any for small businesses to review their cyber liability insurance policy, make sure they have adequate limits, and take the necessary steps to keep their doors open if a data breach does occur. In addition, taking the time to lay out an incident response plan has been demonstrated to consistently reduce the costs associated with a given data breach. Just take the time to do so before an issue arises.