McDonald’s, the largest global fast-food chain, has disclosed a data breach after its systems were breached by hackers and information belonging to customers and employees from the US, South Korea, and Taiwan were stolen.
Being the world’s global food service retailer, McDonald’s serves almost hundreds of millions of customers every day in more than 39,000 locations in over 100 countries, including approximately 14,000 restaurants in the US alone.
The company stated that the cyber criminals have breached its systems in multiple markets worldwide, and it was discovered during an investigation conducted by external security consultants.
McDonald’s told US employees that the attackers managed to steal business contact info belonging to US employees and franchises that wasn’t personal or sensitive.
The threat actors also stole personal information such as names, emails, phone numbers, and addresses from customers in South Korea and Taiwan.
However, the number of customer documents exposed in the incident was small, and the breach did not affect customers’ payment info in any way.
McDonald’s stated that as soon as they identified the breach, they closed off all access and on investigation it was determined that a small number of files were accessed, some of which contained personal data.
Only Korea and Taiwan had customer personal data accessed, and they will be taking steps to notify regulators and customers who were affected.
The fast-food chain is currently notifying affected customers and relevant authorities in all impacted markets.
McDonald’s also stated that they have made substantial investments to implement multiple security tools as part of their in-depth cybersecurity defense. These tools allowed them to quickly identify and contain unauthorized activity on their network. They also worked with experienced third parties to support this investigation.
McDonald’s had to deal with a security incident in the past also, where the company was forced to fix a cross-site scripting (XSS) vulnerability affecting its official website and exposing customers’ plain text passwords in 2017.