lawsuit

Class-action suit filed alleging Chipotle’s ‘elementary’ security, negligence led to data breach

DENVER – Chipotle faces a class-action lawsuit for the potential data breach the company first reported last month, alleging the company’s willful negligence and “elementary” security measures led to the breach and is now costing banks and customers money.

The Denver-based company first reported the possible breach late last month, saying that credit and debit cards used between March 24 and April 18 of this year may have been compromised by “unauthorized activity” on company servers.

“Consistent with good practices, consumer should closely monitor their payment card statements. If anyone sees an unauthorized charge, they should immediately notify the bank that issued the card,” the company said in its statement. “Payment card network rules generally state that cardholders are not responsible for such charges.”

And that statement is exactly what the lawsuit filed May 4 in the U.S. District Court of Colorado claims is the basis for the suit.

The suit’s class has yet to be certified, but it was filed by New Hampshire-based Bellwether Community Credit Union on the behalf of all “credit unions, banks, and other financial institutions” they may have had to reissue customers’ cards that were compromised in the breach, close compromised accounts, or remedy any false transactions.

The suit claims that there are more than 100 members of the proposed class, and that alleged damages exceed $5 million.

Though it’s still unclear how many customers may have been affected in the alleged breach, the suit claims that the company knew it was putting itself at risk for further security breaches after a 2004 breach and a handful of recent ones involving other food-service companies.

“The deficiencies in Chipotle’s security system include a lack of elementary security measures, which even the most inexperienced IT professional could identify as problematic,” the suit says.

It claims that the company, which had around 2,250 U.S. locations as of March 31, failed to upgrade its security after a breach the company says cost it about $4.3 million between 2004 and 2006.

The suit also cites Chipotle’s February 2017 annual report to the U.S. Securities and Exchange Commission (SEC), in which the company itself said:

“We may in the future become subject to additional claims for purportedly fraudulent transactions arising out of the actual or alleged theft of credit or debit card information, and we may also be subject to lawsuits or other proceedings in the future relating to these types of incidents … Consumer perception of our brand could also be negatively affected by these events, which could further adversely affect our results and prospects.

“The liabilities resulting from any of the foregoing would likely be far greater than the losses we recorded in connection with the data breach incident in 2004.”

The suit claims that one of the biggest problems that led to the hacking was Chipotle’s failure to adhere to credit card companies’ regulations that required companies to start using chip technology by October 2015.

The chips mask information contained within transactions about credit card information, unlike the former magnetic strip cards.

But the suit claims that Chipotle stated specifically that it would not switch over to the chip-only system because it would “slow down customer lines.”

By doing so, the company opened itself up to face damages from litigation, as per the regulations set forth by the card companies that said that any business not adhering to the October 2015 deadline would “agree to be liable for damages resulting from any data breaches,” according to the lawsuit.

The suit says that Chipotle has said that 70 percent of its sales involved a debit or credit card transaction, and estimates that “hundreds of thousands” of Chipotle customers could have had their private credit and debit card numbers, and information relating to them, compromised.

Since the burden is on banks to close accounts and reissue new cards, the suit claims that any bank having to do so because of the Chipotle breach is damaged by the breach and subject to compensation.

The class, should it be certified, requests damages and injunctive and declaratory relief on the basis that Chipotle was negligent in its failure to upgrade its security systems for transactions and data storage.

It asks a judge to issue an injunction forcing Chipotle to adhere to industry-standard encryption methods, switch to chip-card readers, and undergo a large audit and subsequent upgrade of its security systems.

A request for comment made to Chipotle had not been returned as of the time of publishing.

A scheduling conference for the case has been set for July 18 in Denver.

Judge dismisses Colo. AG’s suit against Boulder Co. oil and gas moratorium after it expires

BOULDER COUNTY, Colo. – A Boulder District Court judge last week dismissed a lawsuit by the Colorado attorney general and two oil and gas organizations that sought to block the county’s moratorium on oil and gas development.

Judge Norma Sierra granted the motion to dismiss last Tuesday, though the motion was unopposed by the attorney general’s office and the two other plaintiff interveners in the suit: the Colorado Oil and Gas Association and American Petroleum Institute.

The dismissal came after attorneys for both sides agreed not to pursue the suit further because the moratorium, which bans the county from accepting and processing new attempts by companies to develop oil and gas properties in unincorporated part of the county, expired on May 1.

Each party to the suit has been directed to pay their own court costs and attorneys’ fees in the case.

Colorado Attorney General Cynthia Coffman filed the suit in February after the county failed to repeal its moratorium by the imposed deadline of Feb. 10.

Boulder County put the moratorium in place in 2012 and has extended it eight times, most recently in December, when county commissioners voted to extend it to May 1.

The now-dismissed suit pointed to a 2015 Colorado Supreme Court case that went against Fort Collins’ moratorium on fracking and a Longmont moratorium, and said that local governments cannot regulate the oil and gas industry.

The 2015 case’s ruling said that the Colorado Oil and Gas Conservation Act gives the state sole power to regulate oil and gas development and operations within the state.

In both rulings, the court said that even temporary moratoriums, which Boulder has argued its is, “deleteriously affects what is intended to be a state-wide program of regulation.”

Coffman on Monday praised the county’s decision to lift its moratorium.

“Boulder County took a positive step by finally lifting its unlawful moratorium, and I strongly believe that would not have happened without my office taking action to enforce state law,” she said. “While my office will be watching how Boulder’s new rules are implemented, we have agreed to the dismissal of our court case since there no longer is a moratorium in place.”

A Boulder County spokesman told the Daily Camera Monday that the county had so far not received any new development applications since the moratorium expired May 1.

The county has since implemented new rules regarding oil and gas development.

The suit’s dismissal comes amid a heightened focus on oil and gas development in populated areas of Colorado, as Gov. John Hickenlooper has ordered all oil and gas wells within 1,000 feet of occupied buildings to be inspected after a home in Firestone blew up because of leaking gases from an abandoned well.


Enjoy this content? Follow Denver7 on Facebook, Twitter, Instagram and download the Denver7 app on iOS and Android devices for continual access to breaking news, weather and sports.