Between March 24 and April 18, 2017, POS malware infected the majority of approximately 2,250 Chipotle Mexican Grill restaurant locations across 47 U.S. states and Washington D.C., as well as 7 Pizzeria Locale locations. Chipotle issued an initial public statement on April 25, 2017 after its payment processor detected unusual activity. A full investigation completed in May 2017 identified that malware had searched for Track data (cardholder name, card number, expiration date, and internal verification code) as it was routed through POS devices. Only cards used in-store during the affected dates were at risk; online orders and gift card transactions were not affected. The breach affected nearly Chipotle’s entire U.S. store fleet simultaneously, suggesting the malware may have been introduced through a common system or software update channel. Chipotle had processed over $600 million in card transactions during the affected period. The company worked with law enforcement and leading cybersecurity firms to investigate and remediate.