Bellwether Community Credit Union has filed a class-actionlawsuit against Chipotle and is seeking damages related to thefast-casual restaurant company's recent data security breach,according to documents filed in a Colorado District Court on May 4.The suit is the latest in a chain of class-action complaints filedagainst retailers and restaurant companies, such as Arby's, Wendy's, Home Depot and Target.

The complaint alleges the breach compromised names, credit anddebit card numbers, card expiration dates, card verification valuesand other information of Chipotle customers nationwide. It alsosaid the breach forced credit union and other financialinstitutions to cancel or reissue cards, close accounts, stoppayments, block transactions, issue refunds, increase fraud monitoring efforts and deal withcardholder complaints and confusion. Credit unions and financialinstitutions also lost interest and transaction fees due to reducedcard usage, and the cards and their corresponding account numbersbecame worthless, it added.

“Though an investigation is still ongoing, it appears thathundreds of thousands of defendant's customers at locationsnationwide have had their credit and debit numbers compromised,have had their privacy rights violated, have been exposed to therisk of fraud and identify theft, and have otherwise suffereddamages,” the complaint alleged.

Manchester, N.H.-based Bellwether Community Credit Union, whichhas $488 million in assets and 34,000 members, said the breach'sdamages exceed $5 million and involve at least 100 financialinstitutions.

The suit also claims that, among other things, Chipotle failedto ensure it maintained adequate security measures, didn't use bestpractices and didn't upgrade its security systems. Bellwether alsoalleged that Chipotle hasn't implemented EMV in its stores.

Chipotle's most recent 10-K noted that the company experienced apossible breach in 2004. That one cost about $4.3 million in lossesand related expenses, it reported.

“Despite its 2004 data breach, Chipotle quite obviously failedto upgrade its data security systems in a meaningful way so as toprevent future breaches,” the complaint said.

“Defendant's public statements to customers after the databreach plainly indicate that defendant believes that card-issuing institutions should be responsible for fraudulentcharges on cardholder accounts resulting from the data breach.Chipotle has made no overtures to the card-issuing institutionsthat are left to pay for damages as a result of the breach,” thecomplaint added.

In an April 25 statement addressing the breach, Chipotle said ithad detected unauthorized activity on the network that supports itspayment processing for purchases made in its restaurants.

“We immediately began an investigation with the help of leadingcyber security firms, law enforcement, and our payment processor.We believe actions we have taken have stopped the unauthorizedactivity, and we have implemented additional security enhancements.Our investigation is focused on card transactions in ourrestaurants that occurred from March 24, 2017 through April 18,2017. Because our investigation is continuing, complete findingsare not available and it is too early to provide further details onthe investigation,” it said.

Bellwether Community Credit Union Credit Union asked the courtto, among other things, require Chipotle to use industry standardencryption of cardholder data at the point of sale, implement EMVtechnology, use third-party auditors to test its systems forweakness, train data security personnel about how to respond to adata breach and install manufacturer-recommended upgrades to itssecurity software and firewalls.

As of March 31, 2017, Chipotle operated over 2,200 restaurantsin the United States, as well as 34 international locations. Itreported $3.9 billion in revenues in 2016. Its most recent 10-Knotes that 70% of its 2016 sales were attributable to credit anddebit card transactions.

“Therisk of another such breach is real, immediate, andsubstantial,” the complaint said. “If another massive data breachoccurs at Chipotle, plaintiff and members of the class will likelyincur hundreds of millions of dollars in damage.”