Chipotle

This is a list of all consumer-protection incidents this company is involved in. Any incidents not mentioned here can be found in the Chipotle category.

Around 2004, Hackers gained access to Chipotle payment systems, stealing customers data labelled as "Track 2" that contained customers name, card number, card expiration date, and card verification number. Chipotle found out about the attack in August after their merchant bank informed the company of the attack. Although specific details aren't publicized, through fillings with the Securities Exchange Commission:, the company lost an estimate $4.3 million in revenue starting 2004 through 2006.^[1]

In November, three customers filed a lawsuit against Chipotle for falsely advertising the quantity of calories contained in various products after eating a Chorizo Burrito that indicated the product will contain 300 calories with an in-store sign, however the actual contents amounted to over 1000 calories.^[2] Chipotle responded via a tweet on twitter (now formarly X) saying; "I'm sorry for the confusion, but we'll make things more clear next time. The 300 calories is for the chorizo."^[3] The lawsuit reached a settlement in October 2017 that resulted in Chipotle changing their signs to display correct calories contents and rewarding the plaintiffs $5000.^[4]

In January, Leah Caldwell filed a lawsuit against Chipotle for unlawful advertisement and marketing of her photo, seeking over $2.2 billion in damages.^[5] In 2006, Leah Caldwell sat in a Chitpotle restaurant when photographer Steve Adams took a photo of her while eating. Before leaving, Steve Adams asked her to sign the sign a release form, however she declined.^[6] 8 years later around December, she discovered her photo was used as promotion Florida and Califronian chipotle restaurant up till 2015.^[7][8] The Lawsuit reached a settlement in 2017, however specific details surrounding the agreement remain unknown.^[4]

Between March 24 to April 18, hackers were able to infiltrate Chipotle point of sale systems through a malware attack, affecting over 2,250 locations globally and resulting in some customers name, card number, expiration date, and verification code information being stolen. On April 25, Chipotle disclosed and started an investigation into the incident. Additionally The company claimed no other information was collected.^[9]

“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures,” the company says. “In addition, we continue to support law enforcement”s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.”^[10]

This resulted in a lawsuit being filed against Chipotle on May 4 for failure to conduct adequate security measures and prevent future breaches.^[1] A settlement was reached in 2019, compensating customers affected between March 24 and April 18 $250 or $10000.^[11]

Around April, people posted on Reddit and X (Formally Twitter) of their accounts being used to order food across different locations.^[12] A spokesperson at Chipotle responded by saying the attack was due to credential stuffing, however several customers claimed to have unique passwords specific to Chipotle.^[13] The exact amount of customers affect, along with specific dates towards fixing the vulnerability and names of perpetrators, remains unknown.

On December 21, Richard Rabinowitz filed a class action lawsuit against Chipotle for allegedly violating the Telephone Consumer Protection Act by sending customers marketing messages without consent through their automatic telephone dialing system. Around November 17 through December 18, Richard Rabinowitz received 5 messages marketing the newly released Queso, however the plaintiff claims it was targeted marketing as the Queso wasn't positively received by customers. ^[14] As of March 2026, the lawsuit is still progressing in courts.

On June 19, a lawsuit was filed against Chipotle for allegedly sending customers marketing messages without consent using an automatic dialer for promotion of their products. As of March 2026, the case is still ongoing.^[15]

On January 18, Sandra Diaz filed a lawsuit against Chipotle after receiving marketed messages on October 31 without given consent. The plaintiff alleges the company sent messages to customers using an automatic dialing system, dating to early July 2021.^[1] As of March 2026, the lawsuit is still in progress.

https://topclassactions.com/lawsuit-settlements/consumer-products/food/6-5m-chipotle-class-action-settlement-approved/

https://natlawreview.com/article/65-million-settlement-reached-eve-trial-class-action-lawsuit-against-chipotle-over

https://www.today.com/food/chipotle-customers-say-chain-charging-them-hundreds-dollars-fake-orders-t164862

Chipotle was involved in a lawsuit, alleging failure to provide access towards disabled customers with wheel chairs due to lack of feet comfort in tables and chairs. The case was dismissed in 2022.^[16]

https://www.classaction.org/news/applebees-red-lobster-other-restaurants-hit-with-biometric-privacy-suit-in-illinois-over-ai-voice-ordering-systems

https://topclassactions.com/lawsuit-settlements/lawsuit-news/applebees-chipotle-other-restaurants-face-class-action-alleging-automated-voice-ordering-technology-data-privacy-violations/

https://www.classaction.org/news/class-action-claims-chipotle-hides-fees-despite-advertising-free-and-1-delivery 2021

https://www.classaction.org/news/new-chipotle-lawsuit-alleges-restaurant-cloaks-costly-service-fee-within-tax-charged-for-online-orders 2024

https://www.classaction.org/news/chipotle-gift-card-refunds-lawsuit-says-meal-vouchers-are-worthless

https://www.the-sun.com/money/12792714/chipotle-ceo-change-orders-diners-threatened-boycott/

In 2020 Chipotle agreed to pay 25 million dollar fine and a three year deferred prosecution agreement related to the foodborne illness outbreaks that sickened more than 1,100 people between 2015 and 2018.^[17]

/

https://www.foodpoisoningnews.com/food-poisoning-at-chipotle-a-history-of-food-safety-issues/

https://www.foodpoisoningnews.com/food-poisoning-at-chipotle-a-history-of-food-safety-issues/

https://archive.cdc.gov/#/details?url=https://www.cdc.gov/ecoli/2015/o26-11-15/index.html

https://www.foodmanufacturing.com/ingredients/news/13182117/e-coli-outbreak-linked-to-chipotle-expands-to-6-states

https://www.wcpo.com/lifestyle/food/chipotle-e-coli-outbreak-spreads-to-akron-store

https://www.wral.com/story/cause-of-ohio-chipotle-outbreak-identified/17773868/

https://www.devicedaily.com/pin/chipotle-eats-itself/

https://www.mashed.com/250704/scandals-chipotle-can-never-live-down/

https://www.msn.com/en-us/food-and-drink/general/ewww-chipotle-sued-after-woman-bites-into-rodent-in-burrito-bowl/ar-AA1S4rYi

https://www.independent.co.uk/news/world/americas/chipotle-lawsuit-rodents-doordash-nyc-b2887823.html

https://www.ndtv.com/food/us-woman-claims-she-bit-into-rodent-inside-chipotle-burrito-bowl-sues-chain-9791182

https://digitalchew.com/2025/12/10/chipotle-lawsuit-woman-claims-rodent-in-burrito/

• Taco Bell
• Chick-fil-A
• Arby's