McDonald's 2017 India Leak

A cyber security firm named Fallible, announced to the media of a McDelivery leak that leaked over 2.2 million customers private information after numerous attempts to urge McDonald's to patch the issue over the span of 4 weeks. ^[1] The company issue an statement and a patch, however it was not implemented correctly and would be fixed at a later date.

On February 7, 2017, Fallible first notified McDonald's of a security vulnerability with McDelivery service, receiving acknowledgement from the McDelivery IT Manager on February 13, however no further response were made from McDonald's, resulting in Fallible announcing the leak to the public on March 18. ^[2] It was reported that 2.2 million customers were affected, ^{[1] [3]} leaking customers info that included phone numbers, addresses, names, email IDs and home address.^[3]

After public disclosure, Fallible shared their frustration with the company, responding with;

"We have always respected a company’s request if they wanted more time to fix any issue but sadly they stopped responding after 4 weeks which led to us warning users that their data is out in the open. In fact, the ‘fix’ applied right now is incomplete and the vulnerability exists even now and we have intimated the same to the concerned company.” ^[3]

The same day as the announcement, McDonald's responded on Facebook saying it doesn't store any financial data, citing their website and app are secure and safe to use through updates in their security measures, while also urging users to update the McDelivery app. The update didn't fully implement the patch correctly, resulting in millions of customers still at risks of the attack, however the company eventually implemented a full on patch, though the exact date is unknown.

There is no official statement or response indicating that the original perpetrators were caught.