Cyber Incident Victim: McDonald's Canada
Date:
Jan 2019
Location:
Canada
Summary
Hackers compromised user accounts on McDonald's Canada MyMcD's app, making unauthorized food purchases that often totaled hundreds to thousands of dollars per victim through repeated small transactions. Affected individuals reported fraudulent charges from distant locations, with some discovering the activity weeks later due to receipts being filtered into spam folders. McDonald's Canada acknowledged isolated incidents but maintained confidence in the app's security, declining refunds in multiple cases and directing users to seek reimbursement through their financial institutions instead. The breach impacted numerous customers, including one individual charged for 100 separate meals, while others experienced unauthorized orders ranging from $50 to over $2,000, prompting public complaints about the company's refusal to take responsibility for the compromised application.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2019, McDonald's Canada faced a series of unauthorized transactions through its MyMcD's mobile application, with the earliest publicly reported incident occurring on January 17. Attackers gained access to user accounts and made repeated small-value food purchases, typically averaging $20 per transaction, often over extended periods before detection. Brett O'Donnell became one of the first identified victims on January 17, losing $50 when fraudulent orders went unnoticed because receipt notifications were diverted to his spam folder. The pattern escalated in February when Lauren Taylor discovered $484 worth of purchases made from a Quebec restaurant despite her Halifax residence, while Ontario resident Patty Duke incurred $100 in charges primarily for Filet-O-Fish meals. By April, technology journalist Patrick O'Rourke experienced the most severe documented case—100 separate transactions totaling $2,000 at a Montreal location between April 12-18. The attacks consistently involved orders placed geographically distant from victims' homes, with Brian Coleman from Ontario discovering $267 in charges originating from Montreal.
McDonald's Canada acknowledged "some isolated incidents" but maintained confidence in the app's security, refusing refunds to multiple victims including O'Rourke and directing them to seek reimbursement through their financial institutions. Affected users reported cumulative losses ranging from $50 to $2,000, with fraudulent transactions continuing undetected for weeks due to small individual amounts and notification issues. The company's spokesperson Adam Granikov stated they were implementing ongoing enhancements to improve security while emphasizing the app's existing safeguards. Public reporting of breaches increased steadily throughout early 2019, with numerous victims sharing transaction evidence online and expressing frustration over McDonald's refusal to accept responsibility for the compromised accounts. The incident exposed financial vulnerabilities for users and operational challenges in fraud detection, though no technical details regarding the breach method or total affected user count were disclosed by the company.