Mainstream Media Downplays The McDonalds Data Breach

The McDonalds Data Breach

When McDonalds was hacked in 2021, so many mainstream media giants immediately leaped to their defense. They couldn’t wait to tell the world just how secure and responsive McDonalds’ cybersecurity was, and how they ‘did all the right things’.

But remember: It wasn’t the fast-food chain that became the victim of a data breach… it was their employees. And their vendors. And some of their customers. In an attack that spanned three countries, hackers stole both internal and external business information that could easily ruin lives and businesses.

Just not McDonalds, right?

This article will talk about the dark truth behind the 2021 McDonalds data breach.

About The Data Breach

It was late May of 2021. Due to a clear server vulnerability, hackers gained control of several assets inside of the McDonalds server space. They proceeded to see which systems they could gain access to and started exporting their data even before their intrusion was discovered.

They were likely at it for days before anyone did anything about it. It’s just dumb luck that more critical systems weren’t hit right off the bat. It takes time to scan everything on a network and find the right vulnerabilities without attracting a lot of attention. After that’s done, gaining access to the information is only half the job. You need to get the data out while avoiding raising any alarms or triggering any firewalls.

The hackers were discovered before they could get into the more critical systems. Such is the nature of hacking: You get in where you can, and you don’t always hit the jackpot right away. The attackers packed up the shop, exfiltrated everything they had, and disappeared.

When early June rolled around, McDonalds completed its data breach analysis with some outside help. They were ready to go to the press and warn their staff about what to expect in the days to come.

Three countries were part of the breach: Taiwan, South Korea, and the U.S.

Their Asia-Pacific servers were hit the hardest. Customer and employee data had been exfiltrated. Details such as phone numbers, E-mails, and even the addresses of delivery customers in South Korea. Taiwan was hit the hardest for internal information, which included employee data such as their names and contact information.

The United States franchises got off easy compared to that. The leaks there consisted mostly of business contacts, technical information about vendors, and some floor plans.

Then Why Was The McDonalds Data Breach Reported So Mildly?

The pro-McDonalds spin came in fast and was laid on thick. It was big businesses protecting other big businesses, plain and simple.

A corporate shill spoke to CNN Business, explaining how they caught the hack ‘so quickly’. They attributed their supposed success to an investment in early warning systems, cybersecurity tools, and a good relationship with their security consultants:

“These tools allowed us to quickly identify and contain recent unauthorized activity on our network. A thorough investigation was conducted, and we worked with experienced third parties to support this investigation.”

They went on to explain that the next step would be talking to the actual human beings who might have been exposed in the breach. They’re right, they implied that they went to the press before they even told the victims of the cyber attack. Corporate responsibility at its finest.

The real victims in this incident were told that there might be an increase in phishing and scam attempts against them. Employees and vendors would be increasingly exposed and vulnerable to social engineering attacks. Anyone who knows vendor info, floor plans, and other insider information like employee names and contact methods could pose as a corporate representative.

So while all the news sites were saying ‘it could have been worse’, it was actually about to get worse for tens of thousands of employees.

What McDonalds Should Have Done

If they really wanted to detect and counteract a data breach, Mcdonalds could have invested in better early detection tools.

For a hacker to sit around inside of their network for days, something was clearly wrong with their firewall rules and network monitoring software. Instead of looking for signs of a breach and updating every piece of hardware that routes scans, or stores data, they got lax and left holes in their defenses. Nobody reported this as a zero-day exploit… which means it absolutely could have been prevented.

McDonalds did one smart thing: As soon as they realized they were in over their head, they called in experts. It must be wonderful to be able to throw money at the problem. 

The Aftermath

While their positive spin campaign deflected some reputational fallout from a hacking incident, the real victims were left with cyber security pamphlets and words of sympathy.

In the long term, McDonalds came out of this data breach smelling like roses, simply because they set the media department loose upon the world. It was a matter of executing the wrong kind of damage control. They cared more about their own reputation than the hundreds of small businesses and tens of thousands of employees (both their own and those working for vendors) who they left in the lurch. Probably because the stockholders don’t care as much about those things.

Protect Yourself

The moral of the story is simple: Employee and vendor data aren’t as important as protecting corporate reputation. After informing the people who they screwed over, it was everyone for themself.

Without a privacy app installed, the information that the hackers gained in the leak serves as a way to correlate the online identities of many McDonalds’ employees (and their vendors) with their real-life identities. The big clown just doxxed a load of people.

They’re going to need to take measures to protect themself. Hoody is one of the best ways to protect your online identity after a data breach. If you want to see if your information has ever been leaked, check out HaveIBeenPwned.

Hoody is a privacy app that completely anonymizes browser activity, and stops the biggest threat to online privacy this decade: Browser fingerprinting (unlike VPNs). It’s essential for anyone who doesn’t want their online activity correlated to their real-life identity.

Comments are closed.