Hackers used malware to steal customer payment data from most of Chipotle Mexican Grill Inc.’s restaurants over a span of three weeks, the company said on Friday, adding to woes at the chain that has just started recovering from a string of food safety lapses in 2015.

Chipotle said it did not know how many payment cards or customers were affected by the breach that struck most of its roughly 2,250 restaurants for varying amounts of time between March 24 and April 18, spokesman Chris Arnold said via email. Stolen data included account numbers and internal verification codes.

The malware has since been removed.

The information could be used to drain bank accounts, make “clone” credit cards, or to buy things on certain less-secure online sites, said Paul Stephens, director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse.

An investigation into the breach found the malware searched for track data from the magnetic stripe of payment cards.

Chipotle is not offering credit monitoring or notifying affected customers directly, as many other chains have in the past. A handful of Canadian restaurants were also hit.