Cyber Incident Victim: McDonald's
Date:
Jun 2021
Location:
United States of America
Summary
The fast-food chain experienced a data breach where attackers accessed internal systems, compromising U.S. business information like restaurant square footage and customer personal data in South Korea and Taiwan, including delivery customer emails, phone numbers, and addresses. Employee names and contact details were also stolen in Taiwan; the company promptly terminated unauthorized access, investigated with external consultants, and advised staff and franchisees to remain vigilant against phishing attempts while addressing affected employee data files in additional markets.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2021, McDonald’s Corporation identified unauthorized activity on an internal security system, prompting an investigation with external consultants. The breach, first reported by The Wall Street Journal, exposed business information and customer data across the United States, South Korea, and Taiwan. Unauthorized access was terminated within one week of detection. In the U.S., accessed files contained non-sensitive restaurant operational details such as square footage, with no compromise of customer or employee personal data. However, in South Korea and Taiwan, attackers exfiltrated delivery customers’ personal information, including email addresses, phone numbers, and physical addresses. Taiwan additionally experienced theft of employee data encompassing names and contact details. McDonald’s publicly confirmed that a limited number of files were accessed, some containing personal information, but emphasized swift containment of the intrusion. The company did not disclose the exact number of affected individuals or the specific methods used by the attackers to gain access.
McDonald’s response included direct notifications to employees and franchisees, urging vigilance against phishing attempts and advising verification of information requests through alternate communication channels. The corporation announced plans for additional markets to address files containing employee personal data in the days following the disclosure. Security experts cited in media reports highlighted risks stemming from the breach, particularly the potential for follow-on social engineering attacks leveraging stolen contact details. These concerns centered on phishing, smishing (SMS phishing), and vishing (voice phishing) campaigns impersonating McDonald’s or exploiting known business relationships. The company’s statement acknowledged the exposure of personal data in specific markets but did not outline remediation efforts for affected customers beyond internal warnings. No ransomware involvement or financial theft was reported in connection with the incident.