Breach Notification , Cybercrime , Fraud Management & Cybercrime
McDonald's Breach Exposes Korean, Taiwanese Customer DataCompany Says Phone Numbers, Delivery and Email Addresses Exposed
Fast-food giant McDonald's is acknowledging a data breach affecting some customer and company data from its locations in Korea and Taiwan that was taken from its McDonald's delivery system.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
The company's U.S. corporate office offered only sparse details on the incident that exposed what it describes as some "personal data" in the two markets. A statement dated Friday on McDonald's Taiwanese website, however, says the incident involved McDonald's delivery system and warned customers to be aware of fraudulent emails and phone calls.
"It is known that the delivery order information contains personal information including email, contact number and delivery address but does not contain any financial information (such as bank account numbers, credit card numbers and passwords)," a translated company statement on the company's Taiwan website says.
Additionally, the company indicates that the cyber incident may have reached outside of Korea and Taiwan.
"In the coming days, a few additional markets will take steps to address files that contained employee personal data," McDonald's corporate office tells Information Security Media Group in an email statement.
McDonald's declined to offer further details about when the attack happened, the type of attack and how many records the attackers compromised.
McDonald's operates about 704 locations in Taiwan and Korea.
Be on Guard
The McDonald's Taiwan statement warns its customer to be wary of any calls or emails they may receive in the coming days purporting to be from the company.
"If you receive a call from a customer who claims to be a Taiwanese McDonald's customer service representative or any unknown third party to ask for personal financial information, please be alert to avoid being deceived," the company says.
Lee McKnight, associate professor at Syracuse University’s School of Information Studies, says in addition to the spam and phishing issues, other hostile possibilities exist.
“First, the intruders perhaps could not breach enough systems to install ransomware and attempt to force McDonald’s to pay to unlock their systems," McKnight says. "Or the intruders were not trying to install ransomware, and instead obtained exactly the data they were looking for, which could be information to facilitate other actions."
The company's U.S. corporate office confirms it uncovered and blocked the attack and then conducted an extensive investigation into the data breach that included collaborating with outside security firms.
"While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed, some of which contained personal data," the company says. "Based on our investigation, only restaurants in Korea and Taiwan had customer personal data accessed, and the company intends to notify regulators and customers listed in these files."
The corporate office says it will take its lessons learned from this incident and leverage the findings from the investigation as well as input from security resources to identify ways to further enhance its existing security measures.
"McDonald's understands the importance of effective security measures to protect information, which is why we've made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense," the company says. "These tools allowed us to quickly identify and contain recent unauthorized activity on our network."