McDonald's customer data compromised through contractor

McDonald's is warning customers that sensitive data was exposed by a breach at a contractor hired by another contractor.

McDonald's is warning customers to be on guard against identity theft, phishing attacks, or other scams thanks to a data breach. What makes the data compromise more concerning is that it is indicative of a growing hacker strategy to go for the low-hanging fruit rather than staging a direct attack.

Hackers did not breach McDonald's per se. The attackers were able to access the sensitive McDonald's customer data through a third-party contracted by a third-party contracted by McDonald's. McDonald's hired Arc Worldwide to manage its promotional e-mail campaign, and Arc Worldwide hired another third-party to actually distribute the e-mails. That third-party -- which remains anonymous -- is the one that was hacked.

The good news for affected McDonald's customers is that the e-mail promotional campaigns do not involve collecting more sensitive information such as Social Security numbers, or credit card information. Still, data such as names, phone numbers, e-mail addresses, physical addresses, and other information that was exposed can be used for social engineering and identity theft attacks.

McDonald's has sent an e-mail to customers alerting them that their personal information may have been exposed. The e-mail asks customers to be more vigilant about potential identity theft or phishing threats, and asks them to contact McDonald's in the event that they receive any communications claiming to be from McDonald's which in any way ask the customer to share personal or financial information.

IT admins should pay close attention to this incident. Just as malware developers have focused more attention on third-party software like Adobe Reader rather than trying to exploit the Windows operating system directly, hackers have also learned that the easiest path to compromising a network is often through a third-party provider.

Partners and vendors often have trusted connections into fortified, high-value networks, and they represent low-hanging fruit that attackers can target. The smaller third-party organizations frequently lack the security policies and controls of the larger companies, and provide an Achilles heel that hackers can exploit to gain access to the more valuable network -- often flying undetected under the radar.

There are two things that IT admins need to do in order to protect sensitive data and network resources. First, do some due diligence and establish some security guidelines for third-party providers to ensure they meet security requirements. An extension of that would be to also require third parties contracted by the third party to meet the same requirements and go through the same vetting process before being authorized to connect to the network.

The other thing that IT admins should do is establish monitoring and controls to protect the network even from trusted partners, and prevent access to sensitive systems. It wouldn't help in this instance, because the compromised database was on the third-party provider's network, but IT admins still have to strike a balance between collaboration and security.

Like flowing water, attackers will always seek the path of least resistance. As this McDonald's incident illustrates, that path often goes through trusted third-parties.

Join the PC World newsletter!

Error: Please check your email address.

Tags network securityfirewallsapplicationsMcDonald'ssecuritysoftwaredata protection

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tony Bradley

PC World (US online)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?