McDonald's India App 'leaks' customer data for more than 2.2 million users

Pablo Tucker
March 20, 2017

McDelivery, McDonald's India application, was allegedly leaking personal data - including name, email addresses, phone number, home address, home co-ordinates and social profile links - for as many as 2.2 million of its users, according to Fallible, a cyber security company.

McDonald reacted with, "Our site and application don't store any delicate monetary information of clients like Credit card subtle elements, wallet passwords or financial balance data".

Speaking to Gadgets 360, a McDonald's India spokesperson has stated that the company doesn't store any financial data such as credit card details, bank account information, or wallet passwords of its customers.

The statement added, "As a precautionary measure, we would also urge our users to update the McDelivery app on their devices".

For now, the fault appears localised to users in India, where McDonalds has millions of regular customers.

However, the exploit has since been plugged, but Fallible claims that the fix is incomplete and that data is still being leaked.

Untrustworthy wrote in a blog post, "An unprotected openly available API endpoint for getting client subtle elements combined with serially enumerable numbers as client IDs can be utilized to acquire access to all clients individual data".

However, denying the claims, the company has sent an official statement dismissing such reports. The Fallible security team reached out to McDonalds under their responsible disclosure policy. Now it is McDonald's India.

Last December, KFC suffered a major breach to its Colonel's Club app, with as many as 1.2 million United Kingdom users potentially having their accounts compromised. If such an option is not present, it would help to contact McDonald's India to take suggestions on the next course of action.

Security firm Fallible said that the lack of strong data protection laws in India and the absence of any meaningful penalty for leaking data meant many companies did little to protect user data.

Other reports by iNewsToday