McDonald's customer data compromised through contractor

McDonald's is warning customers that sensitive data was exposed by a breach at a contractor hired by another contractor.

McDonald's is warning customers to be on guard against identity theft, phishing attacks, or other scams thanks to a data breach. What makes the data compromise more concerning is that it is indicative of a growing hacker strategy to go for the low-hanging fruit rather than staging a direct attack.

Hackers did not breach McDonald's per se. The attackers were able to access the sensitive McDonald's customer data through a third-party contracted by a third-party contracted by McDonald's. McDonald's hired Arc Worldwide to manage its promotional e-mail campaign, and Arc Worldwide hired another third-party to actually distribute the e-mails. That third-party -- which remains anonymous -- is the one that was hacked.

The good news for affected McDonald's customers is that the e-mail promotional campaigns do not involve collecting more sensitive information such as Social Security numbers, or credit card information. Still, data such as names, phone numbers, e-mail addresses, physical addresses, and other information that was exposed can be used for social engineering and identity theft attacks.

McDonald's has sent an e-mail to customers alerting them that their personal information may have been exposed. The e-mail asks customers to be more vigilant about potential identity theft or phishing threats, and asks them to contact McDonald's in the event that they receive any communications claiming to be from McDonald's which in any way ask the customer to share personal or financial information.

IT admins should pay close attention to this incident. Just as malware developers have focused more attention on third-party software like Adobe Reader rather than trying to exploit the Windows operating system directly, hackers have also learned that the easiest path to compromising a network is often through a third-party provider.

Partners and vendors often have trusted connections into fortified, high-value networks, and they represent low-hanging fruit that attackers can target. The smaller third-party organizations frequently lack the security policies and controls of the larger companies, and provide an Achilles heel that hackers can exploit to gain access to the more valuable network -- often flying undetected under the radar.

There are two things that IT admins need to do in order to protect sensitive data and network resources. First, do some due diligence and establish some security guidelines for third-party providers to ensure they meet security requirements. An extension of that would be to also require third parties contracted by the third party to meet the same requirements and go through the same vetting process before being authorized to connect to the network.

The other thing that IT admins should do is establish monitoring and controls to protect the network even from trusted partners, and prevent access to sensitive systems. It wouldn't help in this instance, because the compromised database was on the third-party provider's network, but IT admins still have to strike a balance between collaboration and security.

Like flowing water, attackers will always seek the path of least resistance. As this McDonald's incident illustrates, that path often goes through trusted third-parties.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityfirewallsapplicationsMcDonald'ssecuritysoftwaredata protection

More about Adobe SystemsetworkMcDonald's

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts