Chipotle: Difference between revisions

Line 13:

This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].

===~~2004~~ Data Breach===

===Data Breach (2004)===

Around 2004, Hackers gained access to Chipotle payment systems, stealing customers data labelled as "Track 2" that contained customers name, card number, card expiration date, and card verification number. Chipotle found out about the attack in August after their merchant bank informed the company of the attack. Although specific details aren't publicized, through fillings with the Securities Exchange Commission:, the company lost an estimate $4.3 million in revenue starting 2004 through 2006.<ref name=":1" />

Line 22:

In January, Leah Caldwell filed a lawsuit against Chipotle for unlawful advertisement and marketing of her photo, seeking over $2.2 billion in damages.<ref>{{Cite web |date=25 January 2017 |title=Using a Person's Image for Commercial Purposes: Lessons Learned from the Chipotle $2.2 Billion Lawsuit |url=https://www.tarterkrinsky.com/insights/using-a-persons-image-for-commercial-purposes-lessons-learned-from-the-chipotle-2-2-billion-lawsuit |url-status=live |access-date=13 March 2026 |website=TarterKrinsky & Drogin}}</ref> In 2006, Leah Caldwell sat in a Chitpotle restaurant when photographer Steve Adams took a photo of her while eating. Before leaving, Steve Adams asked her to sign the sign a release form, however she declined.<ref>{{Cite web |last=Pham |first=Peter |date=6 January 2017 |title=Chipotle Faces $2 Billion Lawsuit For Allegedly Using Photo Of Woman Without Permission |url=https://www.foodbeast.com/news/chipotle-2billion-photo/ |url-status=live |access-date=13 March 2026 |website=FoodBeast}}</ref> 8 years later around December, she discovered her photo was used as promotion Florida and Califronian chipotle restaurant up till 2015.<ref>{{Cite web |last=Hillen |first=Brittany |date=9 January 2017 |title=Chipotle sued for $2.2b for allegedly using woman's photo without permission |url=https://www.dpreview.com/news/0452748489/chipotle-sued-for-2-2b-for-allegedly-using-womans-photo-without-permission |url-status=live |access-date=13 March 2026 |website=DPreview}}</ref><ref>{{Cite web |date=22 November 2022 |title=A Woman Is Suing Chipotle For $2.2 Billion |url=https://www.hotnewhiphop.com/468369-a-woman-is-suing-chipotle-for-s22-billion-news |url-status=live |access-date=13 March 2026 |website=HnHH}}</ref> The Lawsuit reached a settlement in 2017, however specific details surrounding the agreement remain unknown.<ref name=":0">{{Cite web |last=Smith |first=Jacob |date=31 October 2024 |title=13 Shady Things You Can't Ignore About Chipotle |url=https://www.thetakeout.com/1697181/shady-things-about-chipotle/ |url-status=live |access-date=13 March 2026 |website=TheTakeout}}</ref>

===~~2017~~ Data Breach===

===Data Breach (2017)===

Between March 24 to April 18, hackers were able to infiltrate Chipotle [[wikipedia:Point_of_sale|point of sale systems]] through a malware attack, affecting over 2,250 locations globally and resulting in some customers name, card number, expiration date, and verification code information being stolen. On April 25, Chipotle disclosed and started an investigation into the incident. Additionally The company claimed no other information was collected.<ref>{{Cite web |date=26 May 2017 |title=CHIPOTLE MEXICAN GRILL REPORTS FINDINGS FROM INVESTIGATION OF PAYMENT CARD SECURITY INCIDENT |url=https://www.oag.ca.gov/system/files/Chipotle%20-%20Substitute%20Notice%20and%20Press%20Release_0.pdf |url-status=live |access-date=13 March 2026 |website=Chipotle — Security Inciden}}</ref> <blockquote>“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures,” the company says. “In addition, we continue to support law enforcement”s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”<ref>{{Cite web |last=TRUȚĂ |first=Filip |date=30 May 2017 |title=Chipotle customers told to 'remain vigilant' as POS hack probe reveals most restaurants affected |url=https://www.bitdefender.com/en-us/blog/hotforsecurity/chipotle-customers-told-to-remain-vigilant-as-pos-hack-probe-reveals-most-restaurants-affected |url-status=live |access-date=13 March 2026 |website=Bitdefender}}</ref></blockquote>This resulted in a lawsuit being filed against Chipotle on May 4 for failure to conduct adequate security measures and prevent future breaches.<ref name=":1">{{Cite web |last=Rizzi |first=Corrado |date=4 May 2017 |title=Guac Is Extra: Financial Outlet Sues Chipotle Over March '17 Data Breach |url=https://www.classaction.org/news/guac-is-extra-financial-outlet-sues-chipotle-over-march-17-data-breach |url-status=live |access-date=13 March 2026 |website=ClassAction}}</ref> A settlement was reached in 2019, compensating customers affected between March 24 and April 18 $250 or $10000.<ref>{{Cite web |date=23 July 2019 |title=Chipotle Data Breach Class Action Settlement |url=https://topclassactions.com/lawsuit-settlements/closed-settlements/chipotle-data-breach-class-action-settlement/ |url-status=live |access-date=14 March 2026 |website=Top Class Action}}</ref>

===~~2019~~ Data Breach===

===Data Breach (2019)===

Around April, people posted on [[Reddit]] and [[X Corp|X]] (Formally Twitter) of their accounts being used to order food across different locations.<ref>{{Cite web |date=24 April 2019 |title=DATA BREACH AT CHIPOTLE FAST FOOD RESTAURANT, DOZENS OF APP ACCOUNTS WERE HACKED |url=https://iicybersecurity.wordpress.com/2019/04/24/data-breach-at-chipotle-fast-food-restaurant-dozens-of-app-accounts-were-hacked/ |url-status=live |access-date=14 March 2026 |website=International Institute of Cyber Security}}</ref> A spokesperson at Chipotle responded by saying the attack was due to credential stuffing, however several customers claimed to have unique passwords specific to Chipotle.<ref>{{Cite web |last=Whittaker |first=Zack |date=17 April 2019 |title=Chipotle customers are saying their accounts have been hacked |url=https://techcrunch.com/2019/04/17/chipotle-accounts-hacked/ |url-status=live |access-date=14 March 2026 |website=Techrunch}}</ref> The exact amount of customers affect, along with specific dates towards fixing the vulnerability and names of perpetrators, remains unknown.

===Sending Automated Spam Messages To customers without Consent ~~(2017, 2019 and 2023)~~===

===Sending Automated Spam Messages To customers without Consent===

~~https://www.classaction.org/news/florida-man-files-class-action-against-chipotle-over-alleged-unsolicited-text-messages 2017~~

https://www.classaction.org/news/~~chipotle~~-~~hit~~-~~with-tcpa~~-class-action-over-alleged-~~automated~~-text-messages ~~2019 incident~~

==== 2017 Incident ====

On December 21, Richard Rabinowitz filed a class action lawsuit against Chipotle for allegedly violating the Telephone Consumer Protection Act by sending customers marketing messages without consent through their automatic telephone dialing system. Around November 17 through December 18, Richard Rabinowitz received 5 messages marketing the newly released Queso, however the plaintiff claims it was targeted marketing as the Queso wasn't positively received by customers. <ref>{{Cite web |last=Rizzi |first=Corrado |date=10 January 2018 |title=Florida Man Files Class Action Against Chipotle Over Alleged Unsolicited Text Messages |url=https://www.classaction.org/news/florida-man-files-class-action-against-chipotle-over-alleged-unsolicited-text-messages |url-status=live |access-date=13 March 2026 |website=ClassAction}}</ref> As of March 2026, the lawsuit is still progressing in courts.

https://www.classaction.org/news/~~guac-is-extra-~~chipotle-hit-with-class-action-over-alleged-~~spam~~-~~texts~~ 2023 ~~incindent~~

==== 2019 Incident ====

On June 19, a lawsuit was filed against Chipotle for allegedly sending customers marketing messages without consent using an automatic dialer for promotion of their products. As of March 2026, the case is still ongoing.<ref>{{Cite web |last=Rizzi |first=Corrado |date=19 July 2019 |title=Chipotle Hit with TCPA Class Action Over Alleged Automated Text Messages |url=https://www.classaction.org/news/chipotle-hit-with-tcpa-class-action-over-alleged-automated-text-messages |url-status=live |access-date=13 March 2026 |website=ClassAction}}</ref>

==== 2023 Incidents ====

On January 18, Sandra Diaz filed a lawsuit against Chipotle after receiving marketed messages on October 31 without given consent. The plaintiff alleges the company sent messages to customers using an automatic dialing system, dating to early July 2021.<ref name=":1" /> As of March 2026, the lawsuit is still in progress.

===False Advertising on non-GMO food (2019)===

https://topclassactions.com/lawsuit-settlements/consumer-products/food/6-5m-chipotle-class-action-settlement-approved/

https://natlawreview.com/article/65-million-settlement-reached-eve-trial-class-action-lawsuit-against-chipotle-over

===Overcharging Customers Using the App (2019)===

https://www.today.com/food/chipotle-customers-say-chain-charging-them-hundreds-dollars-fake-orders-t164862

=== Chipotle Restaurants Not Accommodating Disabled Individuals (2021-2022) ===

Chipotle was involved in a lawsuit, alleging failure to provide access towards disabled customers with wheel chairs due to lack of feet comfort in tables and chairs. The case was dismissed in 2022.<ref>{{Cite web |last=White |first=Brian |date=16 February 2021 |title=Chipotle, Takao, Baby Blues-Bar-B-Q Chains Accused in ADA Lawsuits |url=https://topclassactions.com/disability-class-action-lawsuit/chipotle-takao-baby-blues-bbq-restaurant-ada-lawsuits/ |url-status=live |access-date=14 March 2026 |website=Top Class Action}}</ref>

===AI-voice ordering systems unlawfully collected Customers Data (2022)===

Line 68:

Line 78:

In 2020 Chipotle agreed to pay 25 million dollar fine and a three year deferred prosecution agreement related to the foodborne illness outbreaks that sickened more than 1,100 people between 2015 and 2018.<ref>{{Cite web |date=2020-04-21 |title=Office of Public Affairs |url=https://www.justice.gov/archives/opa/pr/chipotle-mexican-grill-agrees-pay-25-million-fine-and-enter-deferred-prosecution-agreement |website=justice.gov}}</ref>

===2015 Salmonella===

[https://digitalchew.com/2025/12/10/chipotle-lawsuit-woman-claims-rodent-in-burrito/ /]

=== 2015 Salmonella ===

===2015 E.Coli (October)===

@@ Line 13: / Line 13: @@
 This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the [[:Category:{{FULLPAGENAME}}|{{PAGENAME}} category]].
-===2004 Data Breach===
+===Data Breach (2004)===
 Around 2004, Hackers gained access to Chipotle payment systems, stealing customers data labelled as "Track 2" that contained customers name, card number, card expiration date, and card verification number. Chipotle found out about the attack in August after their merchant bank informed the company of the attack. Although specific details aren't publicized, through fillings with the Securities Exchange Commission:, the company lost an estimate $4.3 million in revenue starting 2004 through 2006.<ref name=":1" />
@@ Line 22: / Line 22: @@
 In January, Leah Caldwell filed a lawsuit against Chipotle for unlawful advertisement and marketing of her photo, seeking over $2.2 billion in damages.<ref>{{Cite web |date=25 January 2017 |title=Using a Person's Image for Commercial Purposes: Lessons Learned from the Chipotle $2.2 Billion Lawsuit |url=https://www.tarterkrinsky.com/insights/using-a-persons-image-for-commercial-purposes-lessons-learned-from-the-chipotle-2-2-billion-lawsuit |url-status=live |access-date=13 March 2026 |website=TarterKrinsky & Drogin}}</ref> In 2006, Leah Caldwell sat in a Chitpotle restaurant when photographer Steve Adams took a photo of her while eating. Before leaving, Steve Adams asked her to sign the sign a release form, however she declined.<ref>{{Cite web |last=Pham |first=Peter |date=6 January 2017 |title=Chipotle Faces $2 Billion Lawsuit For Allegedly Using Photo Of Woman Without Permission |url=https://www.foodbeast.com/news/chipotle-2billion-photo/ |url-status=live |access-date=13 March 2026 |website=FoodBeast}}</ref> 8 years later around December, she discovered her photo was used as promotion Florida and Califronian chipotle restaurant up till 2015.<ref>{{Cite web |last=Hillen |first=Brittany |date=9 January 2017 |title=Chipotle sued for $2.2b for allegedly using woman's photo without permission |url=https://www.dpreview.com/news/0452748489/chipotle-sued-for-2-2b-for-allegedly-using-womans-photo-without-permission |url-status=live |access-date=13 March 2026 |website=DPreview}}</ref><ref>{{Cite web |date=22 November 2022 |title=A Woman Is Suing Chipotle For $2.2 Billion |url=https://www.hotnewhiphop.com/468369-a-woman-is-suing-chipotle-for-s22-billion-news |url-status=live |access-date=13 March 2026 |website=HnHH}}</ref> The Lawsuit reached a settlement in 2017, however specific details surrounding the agreement remain unknown.<ref name=":0">{{Cite web |last=Smith |first=Jacob |date=31 October 2024 |title=13 Shady Things You Can't Ignore About Chipotle |url=https://www.thetakeout.com/1697181/shady-things-about-chipotle/ |url-status=live |access-date=13 March 2026 |website=TheTakeout}}</ref>
-===2017 Data Breach===
+===Data Breach (2017)===
 Between March 24 to April 18, hackers were able to infiltrate Chipotle [[wikipedia:Point_of_sale|point of sale systems]] through a malware attack, affecting over 2,250 locations globally and resulting in some customers name, card number, expiration date, and verification code information being stolen. On April 25, Chipotle disclosed and started an investigation into the incident. Additionally The company claimed no other information was collected.<ref>{{Cite web |date=26 May 2017 |title=CHIPOTLE MEXICAN GRILL REPORTS FINDINGS FROM INVESTIGATION OF PAYMENT CARD SECURITY INCIDENT |url=https://www.oag.ca.gov/system/files/Chipotle%20-%20Substitute%20Notice%20and%20Press%20Release_0.pdf |url-status=live |access-date=13 March 2026 |website=Chipotle — Security Inciden}}</ref> <blockquote>“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures,” the company says. “In addition, we continue to support law enforcement”s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”<ref>{{Cite web |last=TRUȚĂ |first=Filip |date=30 May 2017 |title=Chipotle customers told to 'remain vigilant' as POS hack probe reveals most restaurants affected |url=https://www.bitdefender.com/en-us/blog/hotforsecurity/chipotle-customers-told-to-remain-vigilant-as-pos-hack-probe-reveals-most-restaurants-affected |url-status=live |access-date=13 March 2026 |website=Bitdefender}}</ref></blockquote>This resulted in a lawsuit being filed against Chipotle on May 4 for failure to conduct adequate security measures and prevent future breaches.<ref name=":1">{{Cite web |last=Rizzi |first=Corrado |date=4 May 2017 |title=Guac Is Extra: Financial Outlet Sues Chipotle Over March '17 Data Breach |url=https://www.classaction.org/news/guac-is-extra-financial-outlet-sues-chipotle-over-march-17-data-breach |url-status=live |access-date=13 March 2026 |website=ClassAction}}</ref> A settlement was reached in 2019, compensating customers affected between March 24 and April 18 $250 or $10000.<ref>{{Cite web |date=23 July 2019 |title=Chipotle Data Breach Class Action Settlement |url=https://topclassactions.com/lawsuit-settlements/closed-settlements/chipotle-data-breach-class-action-settlement/ |url-status=live |access-date=14 March 2026 |website=Top Class Action}}</ref>
-===2019 Data Breach===
+===Data Breach (2019)===
+Around April, people posted on [[Reddit]] and [[X Corp|X]] (Formally Twitter) of their accounts being used to order food across different locations.<ref>{{Cite web |date=24 April 2019 |title=DATA BREACH AT CHIPOTLE FAST FOOD RESTAURANT, DOZENS OF APP ACCOUNTS WERE HACKED |url=https://iicybersecurity.wordpress.com/2019/04/24/data-breach-at-chipotle-fast-food-restaurant-dozens-of-app-accounts-were-hacked/ |url-status=live |access-date=14 March 2026 |website=International Institute of Cyber Security}}</ref>  A spokesperson at Chipotle responded by saying the attack was due to credential stuffing, however several customers claimed to have unique passwords specific to Chipotle.<ref>{{Cite web |last=Whittaker |first=Zack |date=17 April 2019 |title=Chipotle customers are saying their accounts have been hacked |url=https://techcrunch.com/2019/04/17/chipotle-accounts-hacked/ |url-status=live |access-date=14 March 2026 |website=Techrunch}}</ref> The exact amount of customers affect, along with specific dates towards fixing the vulnerability and names of perpetrators, remains unknown.
-===Sending Automated Spam Messages To customers without Consent (2017, 2019 and 2023)===
+===Sending Automated Spam Messages To customers without Consent===
-https://www.classaction.org/news/florida-man-files-class-action-against-chipotle-over-alleged-unsolicited-text-messages 2017
-https://www.classaction.org/news/chipotle-hit-with-tcpa-class-action-over-alleged-automated-text-messages 2019 incident
+==== 2017 Incident ====
+On December 21, Richard Rabinowitz filed a class action lawsuit against Chipotle for allegedly violating the Telephone Consumer Protection Act by sending customers marketing messages without consent through their automatic telephone dialing system. Around November 17 through December 18, Richard Rabinowitz received 5 messages marketing the newly released Queso, however the plaintiff claims it was targeted marketing as the Queso wasn't  positively received by customers.  <ref>{{Cite web |last=Rizzi |first=Corrado |date=10 January 2018 |title=Florida Man Files Class Action Against Chipotle Over Alleged Unsolicited Text Messages |url=https://www.classaction.org/news/florida-man-files-class-action-against-chipotle-over-alleged-unsolicited-text-messages |url-status=live |access-date=13 March 2026 |website=ClassAction}}</ref> As of March 2026, the lawsuit is still progressing in courts.
-https://www.classaction.org/news/guac-is-extra-chipotle-hit-with-class-action-over-alleged-spam-texts 2023 incindent
+==== 2019 Incident ====
+On June 19, a lawsuit was filed against Chipotle for allegedly sending customers marketing messages without consent using an automatic dialer for promotion of their products. As of March 2026, the case is still ongoing.<ref>{{Cite web |last=Rizzi |first=Corrado |date=19 July 2019 |title=Chipotle Hit with TCPA Class Action Over Alleged Automated Text Messages |url=https://www.classaction.org/news/chipotle-hit-with-tcpa-class-action-over-alleged-automated-text-messages |url-status=live |access-date=13 March 2026 |website=ClassAction}}</ref>
+==== 2023 Incidents ====
+On January 18, Sandra Diaz filed a lawsuit against Chipotle after receiving marketed messages on October 31 without given consent. The plaintiff alleges the company sent messages to customers using an automatic dialing system, dating to early July 2021.<ref name=":1" /> As of March 2026, the lawsuit is still in progress.
 ===False Advertising on non-GMO food (2019)===
+https://topclassactions.com/lawsuit-settlements/consumer-products/food/6-5m-chipotle-class-action-settlement-approved/
 https://natlawreview.com/article/65-million-settlement-reached-eve-trial-class-action-lawsuit-against-chipotle-over
 ===Overcharging Customers Using the App (2019)===
 https://www.today.com/food/chipotle-customers-say-chain-charging-them-hundreds-dollars-fake-orders-t164862
+=== Chipotle Restaurants Not Accommodating Disabled Individuals (2021-2022) ===
+Chipotle was involved in a lawsuit, alleging failure to provide access towards disabled customers with wheel chairs due to lack of feet comfort in tables and chairs. The case was dismissed in 2022.<ref>{{Cite web |last=White |first=Brian |date=16 February 2021 |title=Chipotle, Takao, Baby Blues-Bar-B-Q Chains Accused in ADA Lawsuits |url=https://topclassactions.com/disability-class-action-lawsuit/chipotle-takao-baby-blues-bbq-restaurant-ada-lawsuits/ |url-status=live |access-date=14 March 2026 |website=Top Class Action}}</ref>
 ===AI-voice ordering systems unlawfully collected Customers Data (2022)===
@@ Line 68: / Line 78: @@
 In 2020 Chipotle agreed to pay 25 million dollar fine and a three year deferred prosecution agreement related to the foodborne illness outbreaks that sickened more than 1,100 people between 2015 and 2018.<ref>{{Cite web |date=2020-04-21 |title=Office of Public Affairs |url=https://www.justice.gov/archives/opa/pr/chipotle-mexican-grill-agrees-pay-25-million-fine-and-enter-deferred-prosecution-agreement |website=justice.gov}}</ref>
-===2015 Salmonella===
+[https://digitalchew.com/2025/12/10/chipotle-lawsuit-woman-claims-rodent-in-burrito/ /]
+=== 2015 Salmonella ===
 ===2015 E.Coli (October)===