Cyber Incident Victim: McDonald's Costa Rica

In April 2022, McDonald’s Costa Rica branch experienced a data breach involving unauthorized access to customer information. The incident stemmed from an unprotected database maintained by a third-party service provider contracted by the company. A hacker exploited this exposure to access sensitive customer records, though the specific method of intrusion remained unidentified by McDonald’s. The compromised data included full names, marital statuses, physical addresses, email addresses, government-issued identification numbers, and phone numbers. McDonald’s characterized the breach as indirect, emphasizing that the security failure originated with the external vendor rather than its own internal systems. The company became aware of the incident after the hacker’s access was detected, though the timeline between initial compromise and discovery was not publicly disclosed. McDonald’s promptly initiated customer notifications on or around April 15, 2022, informing affected individuals about the exposure of their personal data through formal breach alerts.

The breach exposed customers to potential risks including identity theft, phishing attempts, and physical security concerns due to the sensitivity of national identification numbers and home addresses. McDonald’s response focused on transparency, directly acknowledging the service provider’s security lapse in its communications to impacted individuals. No evidence suggested financial data or payment card information was compromised in this incident. The company did not disclose whether law enforcement was engaged or whether regulatory penalties were anticipated. Investigations into the breach continued post-disclosure, with the root cause of the database exposure remaining undetermined at the time of public reporting. McDonald’s made no immediate public statements about corrective actions taken against the vendor or enhancements to third-party security protocols following the incident.