The Washington PostDemocracy Dies in Darkness

McDonald’s suffers data breach in U.S., Taiwan and South Korea

Some customer and employee information was exposed, but the hack was quickly contained, McDonald’s said

A McDonald's store in Taipei, Taiwan. (Pichi Chuang/Reuters)
NaN min

McDonald’s, the world’s biggest fast-food chain, said Friday that some customer and employee information had been exposed by a data breach affecting its markets in South Korea, Taiwan and the United States.

No customer payment information was exposed in the breach, the company said in a statement emailed to The Washington Post. The hack was uncovered by external consultants investigating unauthorized activity on McDonald’s internal networks.

The McDonald’s breach is the latest in a string of recent hacks impacting major companies, from JBS, the world’s largest meat processor, to Colonial Pipeline, which supplies nearly half the fuel on the East Coast. The hacks have revealed the vulnerabilities of U.S. firms and infrastructure, and left government regulators scrambling to address cybersecurity in both public and private realms.

Colonial Pipeline was shut down with worst-case scenario in mind, executives say

“McDonald’s understands the importance of effective security measures to protect information, which is why we’ve made substantial investments to implement multiple security tools as part of our in-depth cybersecurity defense,” the company said in a statement. “These tools allowed us to quickly identify and contain recent unauthorized activity on our network.”

Some business contact information and franchise data was exposed in the United States, McDonald’s told U.S. employees in an email, according to the Wall Street Journal, which first reported the breach. But the data accessed was not sensitive or personal, the company said.

“Moving forward, McDonald’s will leverage the findings from the investigation as well as input from security resources to identify ways to further enhance our existing security measures,” the Chicago-based company said in a statement.

Unlike recent attacks on JBS and Colonial Pipeline, the McDonald’s breach did not involve ransomware. On Wednesday, JBS confirmed it paid the equivalent of $11 million in ransom to hackers who targeted and temporarily crippled its business, forcing JBS to shutter its plants.

In May, the Colonial Pipeline hack caused long lines and shortages at gas pumps on the East Coast and sent government regulators scrambling to address cybersecurity in both public and private realms. Colonial Pipeline paid hackers 75 bitcoin, worth $4.3 million at the time, to free its systems according to the FBI. Authorities have since recovered more than half the ransom ― about $2.3 million. Colonial submitted an insurance claim to cover its costs.

Cyberattacks are on the rise, but the majority of senior IT and security leaders lack confidence in their organization’s ability to ward off attacks, according to 2021 research from Insight. The likelihood of detection and prosecution for cybercrime in the United States is estimated to be as low as .05 percent according to the World Economic Forum.

Ransomware hackers have already collected at least $81 million in ransom in 2021 according to Chainalysis. Victims of ransomware attacks paid at least $406 million in ransom last year, the blockchain analysis company reported.

The McDonald’s breach is the second high-profile hack this week. On Thursday, Electronic Arts, a major video game publisher, reported that hackers broke into its system and stole source code that powers popular games like FIFA 21 and Madden. The hack was not a ransomware attack, a company spokesperson told CNN.