McDonald's sent an email announcement as well as posted a message on its website on Saturday to its "valued customers" that "there is a possibility that the limited information you provided to McDonald's through its websites or promotions was improperly accessed by an unauthorized third party."
I was one of those valued customers who received the email.
The announcement goes on to state that:
"By way of background, McDonald’s asked Arc Worldwide, a long-time business partner, to develop and coordinate the distribution of promotional emails. Arc hired an email service provider, a standard business practice, to supervise and manage the email database. That email service provider has advised that its computer systems recently were accessed by an unauthorized third party, and that information, including information that you provided to McDonald’s, may have been accessed by that unauthorized third party. Law enforcement officials have been notified and are investigating this incident."
McDonald's says that the database accessed did not contain Social Security Numbers, credit card numbers or any sensitive financial information like credit card numbers, but did contain "name, postal address, home or cell phone number, birth date, gender, and certain information about your promotional preferences or web information interests."
The information was provided by McDonald's customers when they submitted "information or subscribe to McDonald’s during an online promotion or through one of [eight] McDonald’s websites at McDonalds.com, 365Black.com, McDonalds.ca, mcdonaldsmom.com, mcdlive.com, monopoly.com, playatmcd.com, or meencanta.com."
McDonald's has not provided any indication of how many customers around the world were affected by the breach (a story in ZDNet Asia states that McDonald's customers in Australia were not) - or when it happened or how far back its database of customer information goes - but it has to be a potentially huge number.
For instance, there has been an online version of its immensely popular Monopoly game beginning in 2004 and which has been promoted heavily by McDonald's in several countries ever since. Other McDonald's promotions also have tremendous power in pushing adults and especially children to its websites.
Arc Worldwide, McDonald's business partner mentioned above, has a case study on its US web site discussing how its McDonald's Shrek movie tie-in campaign alone successfully pushed children worldwide to McDonald's online Shrek game, which resulted in increases in Happy Meals sold by 16% and overall store sales by 8.7%, Arc Worldwide claims.
Arc Worldwide also said parents' trust in McDonald's grew by 11.15% because of its Shrek campaign as well. It may well drop some once parents figure out their children's information hasn't been protected.
McDonald's is warning customers that if they "are contacted by email or otherwise by someone claiming to be from McDonald’s asking for your sensitive financial information, do not provide it. McDonald’s does not ask for that type of information on-line or by email. Instead, please call us at 800-244-6227 and let us know so we can contact the authorities."
Or, using a phrase that the headline writer for ZDNet Asia came up with, don't bite on that McDonald's Filet-O-Phish.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.