Information From Eight McDonald's Promotion Websites Stolen: Are Millions of Customers Affected?

Business partner's hired email system provider compromised

2 min read
Information From Eight McDonald's Promotion Websites Stolen: Are Millions of Customers Affected?

McDonald's sent an email announcement as well as posted a message on its website on Saturday to its "valued customers" that "there is a possibility that the limited information you provided to McDonald's through its websites or promotions was improperly accessed by an unauthorized third party."

I was one of those valued customers who received the email.

The announcement goes on to state that:

"By way of background, McDonald’s asked Arc Worldwide, a long-time business partner, to develop and coordinate the distribution of promotional emails.   Arc hired an email service provider, a standard business practice, to supervise and manage the email database.  That email service provider has advised that its computer systems recently were accessed by an unauthorized third party, and that information, including information that you provided to McDonald’s, may have been accessed by that unauthorized third party.  Law enforcement officials have been notified and are investigating this incident."

McDonald's says that the database accessed did not contain Social Security Numbers, credit card numbers or any sensitive financial information like credit card numbers, but did contain "name, postal address, home or cell phone number, birth date, gender, and certain information about your promotional preferences or web information interests."

The information was provided by McDonald's customers when they submitted "information or subscribe to McDonald’s during an online promotion or through one of [eight] McDonald’s websites at McDonalds.com, 365Black.com, McDonalds.ca, mcdonaldsmom.com, mcdlive.com, monopoly.com, playatmcd.com, or meencanta.com."

McDonald's has not provided any indication of how many customers around the world were affected by the breach (a story in ZDNet Asia states that McDonald's customers in Australia were not) - or when it happened or how far back its database of customer information goes - but it has to be a potentially huge number.

For instance, there has been an online version of its immensely popular Monopoly game beginning in 2004 and which has been promoted heavily by McDonald's in several countries ever since. Other McDonald's promotions also have tremendous power in pushing adults and especially children to its websites.

Arc Worldwide, McDonald's business partner mentioned above, has a case study on its US web site discussing how its McDonald's Shrek movie tie-in campaign alone successfully pushed children worldwide to McDonald's online Shrek game, which resulted in increases in Happy Meals sold by 16% and overall store sales by 8.7%, Arc Worldwide claims.

Arc Worldwide also said parents' trust in McDonald's grew by 11.15% because of its Shrek campaign as well. It may well drop some once parents figure out their children's information hasn't been protected.

McDonald's is warning customers that if they "are contacted by email or otherwise by someone claiming to be from McDonald’s asking for your sensitive financial information, do not provide it.  McDonald’s does not ask for that type of information on-line or by email.  Instead, please call us at 800-244-6227 and let us know so we can contact the authorities."

Or, using a phrase that the headline writer for ZDNet Asia came up with, don't bite on that McDonald's Filet-O-Phish. 

The Conversation (0)

How Police Exploited the Capitol Riot’s Digital Records

Forensic technology is powerful, but is it worth the privacy trade-offs?

11 min read
Vertical
 Illustration of the silhouette of a person with upraised arm holding a cellphone in front of the U.S. Capitol building. Superimposed on the head is a green matrix, which represents data points used for facial recognition
Gabriel Zimmer
Green

The group of well-dressed young men who gathered on the outskirts of Baltimore on the night of 5 January 2021 hardly looked like extremists. But the next day, prosecutors allege, they would all breach the United States Capitol during the deadly insurrection. Several would loot and destroy media equipment, and one would assault a policeman.

No strangers to protest, the men, members of the America First movement, diligently donned masks to obscure their faces. None boasted of their exploits on social media, and none of their friends or family would come forward to denounce them. But on 5 January, they made one piping hot, family-size mistake: They shared a pizza.

Keep Reading ↓Show less
{"imageShortcodeIds":[]}