The restaurant chain reportedly said no U.S. customer data was exposed and the attack did not involve ransomware.
McDonald’s is the latest company to fall victim to a cyberattack exposing customer and other data in the U.S., Taiwan and China, The Wall Street Journal has reported. The restaurant giant reportedly told the paper that it has hired external investigators to analyze unauthorized activity on an internal security system.
No U.S. customer data was breached, McDonald’s told The WSJ, and the data of employees that was exposed was not sensitive or personal. U.S. employees were told in an email that the breach exposed some U.S. business contact information and franchise data.
Personal data of customers in Korea and Taiwan were reportedly accessed, as well as employee names and contact information in Taiwan.
The breach comes on the heels of recent hacks on a number of major companies, including JBS, the world’s largest meat processor, and Colonial Pipeline, which supplies almost half of the fuel on the East Coast. However, unlike those breaches, the McDonald’s breach did not involve ransomware. The company has not yet identified the source of the attack.
SEE: Identity theft protection policy (TechRepublic Premium)
“McDonald’s understands the importance of effective security measures to protect information, which is why we’ve made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense,” the company said in a statement, the WSJ reported. “These tools allowed us to quickly identify and contain recent unauthorized activity on our network.”
Reaction from industry observers
CISOs and other security experts had varying reactions to the attack. “In the minds of threat actors, everyone is fair game,” said Tom Garrubba, CISO of Shared Assessments. “The onslaught of breaches and other vicious cyberattacks are not letting up and therefore, we must be more diligent in ensuring we do not let our guard down.”
While many organizations have stressed over defending personally identifiable information of customers and employees, now, we’re also seeing a large uptick in attacks on organizations that don’t appear to involve personal data, Garrubba said. Infrastructure and other confidential data are now becoming big targets.
Roger Hale, CSO of BigID, called the McDonald’s data breach very limited and said it was an exfiltration of customer delivery data and employee contact data. “These data types would not usually be kept in the same business systems, with the exception being unstructured data, which most security professionals will tell you is more difficult to protect as collaboration tools are designed specifically to ‘share’ data,” Hale said.
It is too soon to know whether this breach can be linked to the latest string of ransomware attacks, Hale said. “However, Russia, China and other nation-states benefit from any cyber disruption. CISOs and their technology partners need to acknowledge the greater likelihood of a ransomware-type attack not only from a business resiliency impact … but also from the data exfiltration/data breach impact.”
Hale added that it could be months before we see if the operational data from Colonial can be weaponized or quantified to further disrupt the energy industry. The first impact was the shutdown of the systems, but it is unclear if that data exfiltrated and if so, how it can be used in the future.
He said he would be “surprised if the U.S. and our allies are not already using offensive cyber tools to respond and deter nation state-sponsored cyber disruption.”
Keatron Evans, principal security researcher at Infosec, said that this latest breach “could be a sign that security is actually improving.” Evans explained that McDonald’s cited recent investments into cybersecurity as one of the reasons the company responded and reported the incident so quickly.
“Maybe the recent string of reported events is due to those large security budgets starting to render measurable results,” said Evans, who is also an instructor and speaker. “In our industry, we have evangelized spending on detection and response, and it seems as though that message may have resonated.”