McDonald’s Corp. said late Friday that an unauthorized third party had illegally obtained e-mail addresses, phone numbers at other personal data from many customers who had signed up for e-mail and website promotions.
The data breach occurred with a subcontractor of Arc Worldwide, a contractor McDonald’s hired to manage its e-mail promotions campaign. Arc hired the subcontractor, whose name was not disclosed, to actually deliver the e-mails, and the perpetrators targeted that company with the hack.
McDonald’s confirmed that information contained within the hacked database included customers’ contact and demographic information. The company noted that it does not collect Social Security numbers or financial information
“The information contained in the database is limited to your e-mail address and potentially also your name, postal address, home or cell phone number, birth date, gender, and certain information about your promotional preferences or Web information interests,” McDonald’s wrote to the affected customers.
McDonald’s also stressed that none of the stolen information came from transactions at the stores.
“This incident has nothing to do with credit card use at the restaurants,” McDonald’s wrote. “The database that was accessed by the unauthorized third party did not contain any credit card information or any other financial information. Further, the information in the database was not gathered from our restaurant registers, but from voluntary subscriptions to our websites or promotions.”
The affected customers submitted their information to McDonald’s during an online promotion or through promotional websites such as McDonalds.com, 365Black.com, McDonalds.ca, McDonaldsMom.com, McDLive.com, Monopoly.com, PlayatMcD.com, or MeEncanta.com, the company said.
McDonald’s said it is cooperating fully with authorities conducting an investigation.
There have been several high-profile hacks recently, including a breach with popular website Gawker over the weekend that compromised 1.5 million accounts — including user names and passwords. In response to the recent arrest of WikiLeaks founder Julian Assange, hackers also attacked the websites of PayPal, Swiss bank PostFinance and MasterCard.
Hackers have targeted the restaurant industry before, including what federal officials characterized as “the largest hacking and identity theft ring ever prosecuted by the U.S. government” during the trial earlier this year against Albert Gonzalez, who infiltrated the payment card databases of Dave & Buster’s, Boston Market and industry payment processor Heartland Payment Systems, among other companies.
McDonald’s told affected customers not to respond to e-mails asking for sensitive information.
“If you are contacted by e-mail or otherwise by someone claiming to be from McDonald’s asking for your sensitive financial information, do not provide it,” the company wrote. “McDonald’s does not ask for that type of information online or by e-mail. Instead, please call us at (800) 244-6227 and let us know so we can contact the authorities.”
McDonald’s operates or franchises more than 32,000 restaurants worldwide.
Contact Mark Brandau at [email protected].