This week McDonald’s issued a statement to customers when it was informed by a vendor partner that unauthorized access to a customer information database it was managing had occurred. McDonald’s called the data leakage “limited”, and quickly pointed out that no financial information or Social Security numbers were kept in the database, which was maintained by marketing firm Arc Worldwide.
“This incident has nothing to do with credit card use at the restaurants”, McDonald’s assured in the statement.
The company said that names, addresses, phone numbers, dates of birth, and gender information linked to McDonald’s promotions and websites were compromised when an unidentified third party accessed the database via an email service provider contracted by Arc Worldwide.
Commenting on the incident, Mark Darvill, director of communications security specialist AEP Networks, said that McDonald's may feel a bit lucky that its business partner leaked only "limited" customer information, rather than a treasure trove of sensitive data. He added that this so-called limited leakage could still aid criminals in identity theft.
"This breach highlights the need for organizations to double check what security measures third parties have in place to protect their sensitive data", Darvill said. "Data protection is no longer just about protecting data when it is on your premise."
McDonald’s did not provide any further details on the incident, only to add that it is currently being investigated by law enforcement officials.