McDonald's customer data compromised through contractor

McDonald's is warning customers that sensitive data was exposed by a breach at a contractor hired by another contractor.
  • (PC World (US online))
  • — 14 December, 2010 01:53

McDonald's is warning customers to be on guard against identity theft, phishing attacks, or other scams thanks to a data breach. What makes the data compromise more concerning is that it is indicative of a growing hacker strategy to go for the low-hanging fruit rather than staging a direct attack.

Hackers did not breach McDonald's per se. The attackers were able to access the sensitive McDonald's customer data through a third-party contracted by a third-party contracted by McDonald's. McDonald's hired Arc Worldwide to manage its promotional e-mail campaign, and Arc Worldwide hired another third-party to actually distribute the e-mails. That third-party -- which remains anonymous -- is the one that was hacked.

The good news for affected McDonald's customers is that the e-mail promotional campaigns do not involve collecting more sensitive information such as Social Security numbers, or credit card information. Still, data such as names, phone numbers, e-mail addresses, physical addresses, and other information that was exposed can be used for social engineering and identity theft attacks.

McDonald's has sent an e-mail to customers alerting them that their personal information may have been exposed. The e-mail asks customers to be more vigilant about potential identity theft or phishing threats, and asks them to contact McDonald's in the event that they receive any communications claiming to be from McDonald's which in any way ask the customer to share personal or financial information.

IT admins should pay close attention to this incident. Just as malware developers have focused more attention on third-party software like Adobe Reader rather than trying to exploit the Windows operating system directly, hackers have also learned that the easiest path to compromising a network is often through a third-party provider.

Partners and vendors often have trusted connections into fortified, high-value networks, and they represent low-hanging fruit that attackers can target. The smaller third-party organizations frequently lack the security policies and controls of the larger companies, and provide an Achilles heel that hackers can exploit to gain access to the more valuable network -- often flying undetected under the radar.

There are two things that IT admins need to do in order to protect sensitive data and network resources. First, do some due diligence and establish some security guidelines for third-party providers to ensure they meet security requirements. An extension of that would be to also require third parties contracted by the third party to meet the same requirements and go through the same vetting process before being authorized to connect to the network.

The other thing that IT admins should do is establish monitoring and controls to protect the network even from trusted partners, and prevent access to sensitive systems. It wouldn't help in this instance, because the compromised database was on the third-party provider's network, but IT admins still have to strike a balance between collaboration and security.

Like flowing water, attackers will always seek the path of least resistance. As this McDonald's incident illustrates, that path often goes through trusted third-parties.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Topics: firewalls, network security, McDonald's, applications, security, software, data protection
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Compare & Save

Deals powered by WhistleOut
WhistleOut

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?