McDonald's rejects accusations made for leaking financial data of its customers

Posted March 20, 2017

McDonald's India app McDelivery leaked personal information of its customers for an unspecified duration of time on Saturday sources said.

McDonalds India gave the usual "value your privacy" explanation and told media outlets financial data like credit card numbers wasn't exposed - which means only sufficient data to mount a workable identity theft attack was leaked. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices.

The writers report that they sent this information to McDonald's in early February and even received an acknowledgement from a Senior IT Manager; but the "leak" had not been fixed when the report was published.

However Fallible claims that this fix did not solve the over-riding issue, with the affected server still leaking data.

In a blog post, the startup wrote, "an unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information".

McDonald's operations in India are split into two entities - McDonald's India (West & South) and McDonald's India (North & East), and the McDelivery app and website are owned and operated by the former entity.

For now, the fault appears localised to users in India, where McDonalds has millions of regular customers. If such an option is not present, it would help to contact McDonald's India to take suggestions on the next course of action.

Fastfood giant McDonald's said on twitter that their Mobile App - McDelivery - did not store financial data of customers.

However, the company did not deny nor confirm the data leak.

They report that they have communicated this opinion to McDonald's again, and are waiting for their response.

The quick service restaurant's statement came after a post on independent blogpost hackernoon claimed that McDonald's India is leaking data of 2.2 million users.