Global burger chain McDonald’s suffered a data breach that compromised the business contact information of some of its US employees and franchisees and the names, phone numbers, and addresses of customers in South Korea and Taiwan.
McDonald’s discovered the breach of employee and customer records after it engaged external consultants to investigate unauthorised activity on one of its internal systems. Unauthorized third party access to the affected systems were closed as soon as the company discovered the breach.
The company’s investigation revealed that hackers had exfiltrated the personal data of some customers in South Korea and Taiwan but were not able to access any payment information. As reported by The Wall Street Journal, the company also learned about the breach of additional details such as business contact information of some US employees and information about the square footage of play areas and seating capacities at various restaurants.
“We conducted a thorough investigation and cooperated with an experienced third party to support the investigation. In the future, we will use the findings of this investigation to further strengthen security measures.
“While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed, some of which contained personal data,” McDonald’s said.
With the announcement, McDonald’s joins the league of several large-scale enterprises that have suffered sophisticated ransomware attacks or have suffered data theft as a result of cyber attacks in recent days. “The rise in attacks indicates need for organisations to practice cyber-resilience and take steps to mitigate the risks cyber attacks pose, before they actually happen,” says Nikos Mantas, Incident Response Expert at Obrela Security Industries.
“Cyberattacks are here to stay, so the only defence today is getting into a post-breach mindset before they happen to limit the negative outcomes such as loss of customer PII, employee information and loss of consumer trust, not to mention substantial regulatory fines for non-compliance.”
According to Sam Curry, Chief Security Officer at Cybereason, the silver lining in this case is that McDonald’s has admitted increasing its investments in cyber security defense and the data breach was discovered early enough to shut off access to critical corporate data, customer data and maybe even the recipe for the secret sauce used in McDonald’s iconic Big Mac.
“Kudos to McDonald’s for being transparent and we look forward to hearing more from them as they can be seen as the hero in this situation if they prevent future data breaches and share some of their playbooks with the industry to help other companies from being victimised.
“Having a post-breach mindset is critical in combating cyber risks to businesses. You must assume the threat actors will get in because they eventually will, and stop them quickly and push them out of networks,” he adds.