The latest roundtable discussion from Security on Screen analyses this week’s cyber attack on McDonald’s – how has the world’s largest burger chain responded?
Fast-food giant, McDonald’s has been hit by a cyber-attack this week, accessing a ‘small number’ of files on customers in the US, South Korea and Taiwan.
The burger chain said last week that it recently hired external consultants to investigate unauthorised activity on an internal security system, prompted by a specific incident in which the unauthorised access was cut off a week after it was identified.
According to initial reports by the Wall Street Journal, the breach included e-mail, delivery addresses and phone numbers, but not any payment details. Investigators then confirmed that the breach disclosed some business contact information for US employees and franchisees, along with some information about restaurants such as seating capacity and the square footage of play areas.
The company said no customer data was breached in the US, and that the employee data exposed wasn’t sensitive or personal, however, it advised employees and franchisees to watch for phishing emails and to use discretion when asked for information.
Dependency ‘double up’
To comment on the incident, Sam Curry, Chief Security Officer of Cybereason says: “The McDonald’s data breach is yet another reminder that every minute of everyday threat actors around the world are focused on cybercrime, espionage and data theft. And more and more this activity is state sponsored and run through Russia, China, Iran, North Korea and other countries that harbour cyber terrorists.
“Make no mistake that while this newest threat doesn’t appear to involve ransomware, data breaches are occurring more frequently but maybe with fewer headlines because of the Colonial Pipeline and JBS attacks.”
Jonathan Knudsen, Senior Security Strategist at Synopsys adds: “The recent cyber breach at McDonald’s is another example showing that every organisation is a software organisation. Fast food? Oil pipeline? Global shipping? Every organisation in every industry depends on software for critical business functions and consequently, every organisation in every industry must embrace a proactive approach to cybersecurity.
“Without a security mindset in all parts of the organisation, the risk of disaster is high. Organisations must recognise, at the highest levels of management, that the software they use every day is a part of their infrastructure, just like office buildings or stores or factories. As such, organisations need to select, deploy, and operate software with an eye toward security at every step.
“As software becomes more entrenched in the fabric of society, and as criminals get better at exploiting weak security processes, good security hygiene will become a competitive differentiator. Eventually, organizations will see software security not as a cost center or hurdle, but as an enabler to a faster, more efficient, less risky future.”
Fillet-O-Phishing
“McDonald’s customers in Taiwan and South Korea who have given the company their contact information at any point should be on the lookout for phishing emails,” says Paul Bischoff, Privacy Advocate at Comparitech. “Scammers will send emails and texts posing as McDonald’s or a related company, using personal data from the breach to personalise messages and make them more convincing.
“These messages will most likely instruct victims to click on a malicious link that either downloads malware or goes to a fake website. The website will ask victims for their login or payment information, which is then stolen by the attackers. Never click on links in unsolicited emails and always verify the sender before responding.”
Jamie Akhtar, CEO and Co-Founder of CyberSmart adds: “Phishing has become increasingly popular and will likely impact employees and franchisees of McDonald’s in the coming months now that their contact information is out in the open. The benefit of a holistic approach to cyber is not only that you can worry less but the next time a customer asks about your security, you can answer with confidence you’re on top of it.”
Javvad Malik, Security Awareness Advocate at KnowBe4 also comments: “With many criminals spending weeks, if not months within organisations to exfiltrate data, understand the network, and often deploy ransomware; being able to detect and respond to this intrusion before it became a much larger incident highlights the value in having a robust layered security capability.”
The ‘golden arches’ of risk mitigation
McDonald’s said that its divisions in South Korea and Taiwan notified regulators in Asia of the breach last Friday, and that they would contact customers and employees. The company said its divisions would also notify some employees in South Africa and Russia of possible unauthorised access to their information. The investigation had flagged those countries as well.
Chris Hauk, Consumer Privacy Champion at Pixel Privacy comments: “It sounds as if McDonald’s is being proactive about protecting its data, taking steps to detect data breaches, and quickly making the necessary moves to cut off hacker access once it was detected. The company also appears to be taking steps to better protect itself against future attacks and breaches.”
“This recent data breach of McDonald’s shows how critical it is for organisations to recognise that security is a matter of when, not if, and we should all take steps to implement a secure baseline – recognition really is the first step,” adds Akhtar. “Fortunately, there is no need to re-invent the wheel of your own security program. Start by aligning with the UK Government’s guidelines. Think of it as an ongoing program rather than a project as well. Security should be embedded within the culture, and although most businesses are not likely to suffer highly sophisticated attacks, it’s important to keep updated as the landscape shifts.”
Curry concludes: “The silver lining appears to be that McDonald’s has admitted increasing its investments in cybersecurity defence and the data breach was discovered early enough to shut off access to critical corporate data, customer data and maybe even the recipe for the secret sauce used in McDonald’s iconic Big Mac.
“Kudos to McDonald’s for being transparent and we look forward to hearing more from them as they can be seen as the hero in this situation if they prevent future data breaches and share some of their playbook with the industry to help other companies from being victimised. Having a post breach mindset is critical in combating cyber risks to businesses. You must assume the threat actors will get in, because they eventually will, and stop them quickly and push them out of networks.”
