Some Chipotle customers are reportedly getting a lot more than they bargained for after using the restaurant's app to order a meal.
In recent months, several customers have reported that the burrito chain's app charged them over a hundred dollars for orders they didn't actually place.
Ohio resident Jessica Gallenstein said she experienced an issue when she received an alarming alert from her bank after placing a single order on the chain's app.
"My account was in negative amounts, and more than a hundred dollars were placed for orders I didn't give permission to be placed," she told reporter John Matarese.
When Gallenstein logged into her bank account, she soon saw that multiple orders (ranging from $10-$40) had been placed through the Chipotle app without her permission on the same day.
When reached by TODAY Food, a spokesperson for Chipotle declined to say how many customer complaints the company had received regarding fake charges, but a Reddit thread started earlier this year follows the complaints of at least seven people who claim they were affected.
Allison Ingrum, an editorial intern at TODAY, said she experienced a similar issue earlier this month when she saw four suspicious charges, ranging between $19 to over $50, on her Chipotle account. Soon after, she received a Chipotle confirmation email for one of the charges, which was ordered by someone in Madison, Wisconsin. Ingrum lives in New York City.
"Next, I got another email from Chipotle saying the email and phone number on my account had been changed," she said.
Ingrum contacted her bank immediately and they reversed the charges then shut down her debit card. She tried to report the issue to Chipotle but since her email address wasn't registered with her account anymore, the attempt was unsuccessful. "Since my debit card was shut down by this point, I saw no more harm to be done," she said.
Like Gallenstein, this was Ingrum's first experience with suspicious charges on the Chipotle app. The mysterious charges left a bad taste in her mouth. "I was shocked to see the charges, especially since they totaled to approximately $130. I totally thought it was an isolated incident, so I am surprised to hear others are having the same problem," Ingrum said.
Chipotle's Chief Reputation Officer Laurie Schalow told TODAY that, to her knowledge, the company has not experienced a data breach.
"The privacy and security of our customer information is very important to us. Chipotle customer accounts, like customer accounts for many other retail, hotel, and restaurant companies, have had instances of credential stuffing. This occurs where user names and passwords stolen from other companies are tested to see if they work to access accounts at other companies," she said.
"Chipotle has not identified any indication that user names and passwords were taken from Chipotle’s network, and Chipotle does not retain the full payment card number after it is used for digital orders."
Schalow explained that Chipotle, much like other restaurants, is constantly working to ensure their customers' personal information is safe, saying, "We have taken steps to combat credential stuffing including engaging with law enforcement, requiring strong passwords and through technology. We also engage security firms to evaluate our security measures"
If customers do experience issues, Schalow encouraged them to email the chain's support team at CustomerServiceTeam@chipotle.com.
With more stores offering mobile services, consumers are often curious about how best to protect their personal information in the digital age. In 2018, cybersecurity expert Jim Stickley told TODAY that consumers should be wary of joining public Wi-Fi accounts that can easily be hacked, and people should also install anti-virus software on their phones and laptops.
This isn't the first time Chipotle customers have had to deal with fraudulent charges in recent years.
In April, fans of the fast casual chain took to Twitter to let Chipotle know they'd seen suspicious activity on their accounts. At the time, a Chipotle rep told TODAY that they had "no indication of any breach of Chipotle’s databases or systems."
The company did, however, experience a malware issue in 2017 when hackers stole customer information at stores nationwide.
This fall, Chipotle faced criticism over a totally different type of less-than-stellar consumer experience. In September, the chain made headlines when many customers complained they had been served brown and underripe guacamole. Fans of the burrito chain were concerned that the restaurant had changed its recipe, but it turns out the discolored guac was due to seasonal changes in the restaurant's avocado supply.