DENVER -- Records show Chipotle Mexican Grill has routinely acknowledged the risks associated with its payment processing systems, most recently in the weeks before a security breach compromised payment information belonging to an untold number of its customers.
The company now faces two new class action lawsuits from customers, one of whom says "the Defendant knew or should have known about the elementary infirmities associated" with its security systems.
The cases were filed in U.S. District Court on Friday -- one in Colorado, the other in California. The plaintiff on the Colorado case is Todd Gordon, an Arizona man who said his newly-issued American Express card was used by a fraudster in Florida just weeks after he visited a Phoenix-area Chipotle restaurant.
"As a result of Plaintiff's credit card account exceeding its limit through no fault of Plaintiff's own, American Express made a report to the credit bureaus, thereby negatively affecting Plaintiff's credit score and information," the case states.
According to the civil complaint, which has not yet received class action certification, Gordon "had not experienced credit card fraud or identity theft with respect to his American Express credit card account" prior to the fraudster using the card.
Gordon's attorneys have not yet responded to Denver7's request for comment.
As part of Gordon's case, his attorneys cite an annual Securities and Exchange Commission (SEC) filing where Chipotle acknowledged that its payment processing system poses a risk to the company. The record was filed in early February -- a little more than a month before the breach occurred.
"We may be harmed by security risks we face in connection with our electronic processing and transmission of confidential customer and employee information," it stated.
"We may in the future become subject to additional claims for purportedly fraudulent transactions arising out of the actual or alleged theft of credit or debit card information, and we may also be subject to lawsuits or other proceedings in the future relating to these types of incidents," the company further stated in the filing. "Any such proceedings could distract our management from running our business and cause us to incur significant unplanned losses and expenses. Consumer perception of our brand could also be negatively affected by these events, which could further adversely affect our results and prospects."
The SEC filing notes that Chipotle incurred roughly $4.3 million in losses and expenses related to a security breach in August 2004.
The company noted the 2004 data breach and data security risks in every annual SEC filing between 2006 and 2016 -- the filings readily available through the SEC online.
70-percent of the restaurant chain's customer transactions involved a credit or debit card in 2016, according to the most recent SEC filing.
The credit unions contend that the breach forced them to spend time and money on behalf of their customers.
"The Chipotle Data Breach was the inevitable result of Chipotle’s inadequate data security measures and approach to data security," the lawsuit, filed in May by Alcoa Community Federal Credit Union, states. "Despite the well-publicized and ever-growing threat of cyber breaches involving payment card networks and systems, Chipotle systematically failed to ensure that it maintained adequate data security measures, failed to implement best practices, failed to upgrade security systems, and failed to comply with industry standards by allowing its computer and point-of-sale (“POS”) systems to be hacked, causing financial institutions’ payment card and customer information to be stolen."
Company's response questioned
Each of the lawsuits raise issue with how the company's responded to the breach in the weeks after it made customers aware.
In Gordon's case, his attorneys question why Chipotle has still not implemented a chip-based card technology at its restaurants. They also question why the company "has not offered or provided any monitoring service or assistance" to customers.
Chipotle spokesperson, Chris Arnold, said in an email that the company is not offering credit monitoring because "that is only designed to let you know when someone is opening a new credit account using your information. Credit monitoring does not alert you when a fraudulent charge is made on a payment card."
As for the risks noted in Chipotle's annual SEC filings, Arnold said identifying risks is routine.
"Like any public company, we are required to disclose potential risks to our business, no matter how remote," he said in an email to Denver7 Investigates.
Arnold said other business risks are routinely identified in SEC filings, such as marketing and advertising strategies that may not be successful or how changes in customer tastes and preferences, spending patterns and demographic trends could cause sales to decline.