(Adds company, expert comment)
May 26 (Reuters) - Chipotle Mexican Grill Inc said on Friday hackers used malware to steal customers card data, including account number, expiration date and internal verification codes, from payment systems at some of its restaurants between March 24 and April 18.
Chipotle, which is fighting to recover from 2015 food safety lapses that pummeled its sales, said it did not know how many payment cards had been affected but said the malware has since been removed.
The information could be used to drain bank accounts, if a debit card was used, or to make credit card purchases, said Paul Stephens, director of policy and advocacy at the non-profit Privacy Rights Clearinghouse.
An investigation into the breach found the malware searched for track data from the magnetic stripe of payment cards used in certain Chipotle and Pizzeria Locale restaurants.
Chipotle is not offering credit monitoring, as many other chains have in the past.
"Credit monitoring is only designed to let you know when someone is opening a new credit account using your information. Credit monitoring does not alert you when a fraudulent charge is made on a payment card," spokesman Chris Arnold said in an email to Reuters.
Shares in the chain were down nearly 0.1 percent at $481.02 in late trading on Friday. (Reporting by Natalie Grover in Bengaluru and Lisa Baertlein in Los Angeles; Editing by Arun Koyyur and Grant McCool)