ShareThis Page
Dollar Bank issuing new debit cards in the wake of Chipotle data breach |
Valley News Dispatch

Dollar Bank issuing new debit cards in the wake of Chipotle data breach

| Tuesday, May 2, 2017 3:03 p.m
Gwen Titley | Tribune-Review
Dollar Bank said Tuesday, May 2, 2017, that it will issue new debit cards to about 5,000 of its customers who might have been affected by a data breach at several Chipotle restaurants.

Dollar Bank will send new debit cards on Friday to about 5,000 customers in Western Pennsylvania, following a data breach at the popular food chain Chipotle.

Chipotle, which has about a dozen locations in the region, detected unauthorized activity on the network it used for processing payments during the last week of March and first half of April, according to a statement issued by the company.

The company said the breach has been fixed but recent customers should watch their bank accounts for suspicious activity.

“Our investigation is focused on card transactions in our restaurants that occurred from March 24, 2017, through April 18, 2017,” the statement reads, without specifying which restaurants were involved or for how long.

“We are working with investigators to complete the investigation. When there is more information available, we will share that accordingly,” Chipotle Communications Director Chris Arnold said when asked for more specific information.

Joseph Smith, senior vice president of marketing for Dollar Bank, said his company has tried to notify all of its affected customers. The bank’s policy is to issue new cards when a data breach becomes apparent, he said.

“This is now becoming so standard for the industry; there are so many breaches,” he said. “What is unusual in this case is that it was an extended period of time and involved a large number of cards.”

Smith said old cards will remain functional until new cards are activated or until May 16, whichever comes first.

Customer access PINs will not be changed, but new cards will come with different numbers, which could affect card users with automatic payments scheduled to use their old cards.

So far, no customers have reported unauthorized activity on their accounts stemming from the data breach, Smith said.

Marcey Zwiebel, a spokeswoman for PNC bank, said PNC will not issue new cards, but encouraged customers to monitor bank accounts for fraudulent activity.

“We’re still evaluating the full impact of this situation on our customers. At this time, based on our evaluation of the impact, we are not issuing new cards,” she said.

Inga Goddijn, executive vice president of Risk Based Security, a Virginia-based company that tracks data breaches and provides cybersecurity services, said Chipotle’s breach was similar to others that happen with an unfortunate regularity.

Goddijn said the hackers behind data breaches such as Chipotle’s often take their time infiltrating a system and, once they are in, slowly move around the system to see what sort of data they can access and how they can extricate it.

Credit card data often is sold on the black market to people who make fake credit cards with the numbers. Those people then go to retailers such as Target and buy gift cards, Goddijn said. Tracking down the hackers and fraudsters is difficult and often impossible.

Goddijn said that identifying a security breach within a month isn’t that bad compared with other breaches.

“Oftentimes, with breaches like this, the intrusion isn’t necessarily detected until fraudulent activity is noticed,” Goddijn said.

Credit card numbers were accessed in about 20 percent of the more than 4,000 security breaches in 2016, a report from Risk Based Security found.

Lorrie Cranor, co-director of CMU’s Privacy Engineering Master’s Program, said banks typically issue new cards after accounts are compromised in a breach.

“The threshold of when they are going to send you a new card has lowered,” said Cranor, who is also a faculty member at CyLab, a cybersecurity research and education institute at CMU, and a professor in the departments of Engineering and Public Policy and the Institute for Software Research.

“Changing a customer’s account number is a relatively easy and inexpensive thing to do and can save problems later.”

Cranor said chances are good that, no matter what, victims of credit card fraud won’t be on the hook for fraudulent purchases. Catching fraud early, however, will make it easier to sort out.

Both Cranor and Goddijn said the best way to stay safe is to carefully monitor credit and debit card statements. Cranor recommends looking at statements every month.

“Really get into the habit of doing that,” Cranor said. “That will allow you to detect a problem within a few weeks.”

Goddijn advises studying every transaction, even small ones. Transactions of a few dollars or less can be a red flag.

“Oftentimes, those small charges are used to test whether the card or the information is still good,” Goddijn said.

Goddijn added that people should contact their banks right away if they suspect fraud and that credit cards typically offer a little better consumer protection than debit cards.

Cranor suggested people check out for more resources.

Matthew Medsger is a Tribune-Review staff writer. Reach him at 724-226-4675,, or on Twitter @matthew_medsger. Aaron Aupperlee is a Tribune-Review staff writer. Reach him at, 412-336-8448 or via Twitter @tinynotebook.

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.