McDonald’s has alerted a number of its customers that their personal details might have been compromised, following a hacking exploit in the US.
In a letter sent to those believed to have been affected, McDonald’s said that no financial details were exposed.
“McDonald’s does not collect sensitive financial information, such as social security numbers or credit card numbers online or through email. As such, the information improperly accessed did not include this type of information,” the fast food company wrote in a statement.
The data did, however, include information required to confirm age, a method of contact, such as name, mobile phone number, postal address and email address, along with other general preference information. The hack came as US online media business Gawker suffered the loss of thousands of passwords in a hacking incident.
It was not McDonald’s that was actually hacked, but an unnamed company used by McDonald's partner Arc Worldwide. The unnamed company processes and stores emailed information for Arc.
The fast food company has not said whether the information accessed covered any non-US citizens, or how far back the archived information goes. The company closed a massively popular Monopoly competition at the end of last month.
Outsourcing contracts – such as the one relied on by McDonald's, can create a cascade of interdependencies when it comes to information security. Colin Tankard, managing director of security and encryption specialist Digital Pathways, believes that all personal customer and employee details should be stored in encrypted form.
"Once again the issues of securing data by use of encryption, strong user authentication, access levels and having data security strategies in place comes to the fore,” he said. “It is about time companies woke up to the fact that this issue is here to stay and needs serious consideration not just lip service.
“This case has highlighted the difficulty with interdependence and it is hard to see how cloud strategies can sensibly ensure that all possible links to the originators' data is secured,” he continued. “It really is a due diligence issue for each link in the chain. Each company in the chain should be ensuring that its outsourcing company has robust security.”
McDonald's is working with law enforcement agencies to determine how the security was breached at the company hired by Arc, which is the marketing services division of advertising agency Leo Burnett.
“At the end of the day, it is now McDonald’s who is suffering from the bad publicity not the third party company," Tankard said. "The responsibility always sits with the primary company.”
In October, McDonald's UK issued an internet security warning to its customers following a spate of phishing emails claiming to come from the brand.