The Expert's View with Jeremy Kirk

Data Breach

McShame: McDonald's API Leaks Data for 2.2 Million Users McDonald's Finally Confirmed McDelivery Breach After Being Outed by Researcher
McShame: McDonald's API Leaks Data for 2.2 Million Users
McDelivery in Delhi. (Photo: Tom Field)

Things are getting messy at McDonald's in India, and that's not just for consumers of the Maharaja Mac - a double-stacked grilled chicken monstrosity with jalapenos and habanero sauce.

See Also: The Cost of Social Engineering: 3.1 Billion Reasons to Pay Attention

McDonald's has acknowledged that a leaky API exposed personal information for users of its McDelivery mobile app in India. The flaw, found by payments company Fallible, exposed names, email addresses, phone numbers, home addresses and sometimes the coordinates of those homes, as well as links to social media profiles. And Fallible contends that the leak still hasn't been properly fixed.

"We are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs." 

I queried McDonald's to see if it has tried to seal the hole in the API and also whether it has notified customers or regulators, but I didn't get an immediate response.

In a March 19 tweet, McDonald's didn't issue any clear answers, instead taking the well-trodden path of seeking to reassure users by highlighting what was not breached.

"We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information," it says. "The website and app has always been safe to use."

McDonald's has dabbled in home delivery in many countries since the early 1990s, attracting budget diners willing to risk the short half-life of its sandwiches and fries versus the vagaries of home delivery.

McLeaky McDelivery?

Fallible says it contacted McDonald's India on Feb. 7, letting the fast-food chain know it could sequentially pull user information from the API using a curl request.

"An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information," Fallible writes in a blog post.

Fallible didn't hear back until Feb. 13, it says. But the issue appeared to remain unfixed, so Fallible says McDonald's another email on March 7 asking for a status update. Ten days later, it sent another email and received no response.

Fallible chose to go public with the issue in a March 18 blog post, prompting a public acknowledgement from McDonald's on Twitter the next day. Fallible contends the issue hasn't been fixed, and it's unclear from McDonald's tweet if it was.

McNotification?

India doesn't have a specific law that requires mandatory reporting of data breaches. But there are regulations and laws that cover the disclosure of personal information.

One is the Information Technology Act 2008, referred to as the IT Act. Another is a batch of rules that went into force in 2011 that describes the need for "reasonable" security practices when handling personal information.

Under section 43A of the IT Act, companies could be held liable to pay compensation for a failure to use reasonable measures to protect sensitive personal data. Additionally, if the information is intentionally disclosed without consent, criminal penalties could also apply.

Critics, however, contend that India is behind when it comes to strong data protection and stricter legislation, such as what the European Union has implemented (see Why India is Still Not Ready for Breach, Privacy Laws).

In its blog post, Fallible writes that the lack of strong data protection and privacy laws in India has resulted in many companies ignoring related issues.

"We have in the past discovered more than 50 instances of data leaks in several Indian organizations," Fallible writes. "In fact, we are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs."



About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology

Jeremy Kirk is a 20-year veteran journalist who has reported from more than a dozen countries. An expat American now based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked for 10 years from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network