McDonald’s Corp. data was breached by hackers in some markets, including the United States, South Korea and Taiwan, and the company warned employees and franchisees to be on the alert for phishing attacks, the company said Friday.
The Chicago-based quick-service chain said it had hired external consultants to investigate unauthorized activity on an internal security system. The investigation was prompted by a breach that was identified about a week after it happened.
“A thorough investigation was conducted, and we worked with experienced third parties to support this investigation,” a McDonald’s spokesperson said Friday.
“While we were able to close off access quickly after identification, our investigation has determined that a small number of files were accessed, some of which contained personal data,” the spokesperson said.
“Based on our investigation, only Korea and Taiwan had customer personal data accessed, and they will be taking steps to notify regulators and customers listed in these files,” the company said. “No customer payment information was contained in these files. In the coming days, a few additional markets will take steps to address files that contained employee personal data.”
The company said business was not interrupted.
The breach was first reported Friday by the Wall Street Journal. The report noted that McDonald’s told its U.S. employees “the breach disclosed some business contact information for U.S. employees and franchisees, along with some information about restaurants such as seating capacity and the square footage of play areas.”
“The company said no customer data was breached in the U.S., and that the employee data exposed wasn’t sensitive or personal,” the report noted. “The company advised employees and franchisees to watch for phishing emails and to use discretion when asked for information.”
Ed Bishop, co-founder and chief technology officer at London-based Tessian, an email security company, said in a statement: “Hackers will be quick to exploit the business contact details exposed in this breach, either simply selling the data or using the information to send convincing phishing, smishing or vishing attacks to victims of the breach.” Phishing is via email, smishing is via text message, and vishing is via phone call or voice message.
“The warning for all McDonald's employees and franchisees, then, is to watch out for phishing emails and verify any requests for payments or information with the supposed source via another means of communication before complying with the request,” Bishop said. “No matter how urgent the message appears, always take a minute to check its legitimacy.”
Bishop said McDonald’s notified regulators in Asia of the breach Friday, and that they would contact customers and employees. “The company said its divisions would also notify some employees in South Africa and Russia of possible unauthorized access to their information,” Bishop said.
The breach in South Korea and Taiwan involved customer emails, phone numbers and addresses for delivery customers but it did not include payment information, the Wall Street Journal said.
The McDonald’s spokesperson said the company has “made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense.
“These tools allowed us to quickly identify and contain recent unauthorized activity on our network,” the company said. “A thorough investigation was conducted, and we worked with experienced third parties to support this investigation.”
McDonald’s USA has 14,000 restaurants, with 95% of them franchised. Globally, the brand has more than 39,000 locations.
Contact Ron Ruggless at [email protected]forma.com
Follow him on Twitter: @RonRuggless