NEW DELHI, India - In a massive leak reported by Cybersecurity firm Fallible, McDonald’s India’s delivery app, McDelivery is said to have leaked personal information of millions of its customers.
According to Fallible, “more than 2.2. million” McDonald’s app users were impacted in the breach and their details, including "name, email address, phone number, home address, accurate home co-ordinates, and social profile links" were leaked.
The firm said in a blog post, “An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information."
Reports noted that McDonald's operations in India are split into two entities - McDonald's India (West & South) and McDonald's India (North & East), and the McDelivery app and website are owned and operated by the former entity.
The leak is not said to have impacted data of customers in North and East of India as they use another app and website.
The cyber security firm even revealed that it had first reported the issue to McDonald's India on February 4.
Subsequently, it received an acknowledgement of the same from the fast food giant's Senior IT manager on February 13 - the problem however still persisted when Fallible reported the issue publicly on March 18.
It claimed that it was possible the leak has been around for much longer.
The leak reportedly remained unplugged hours after the company’s blog post was published. It wasn’t clear if the data was downloaded and exploited earlier.
While McDonald’s eventually plugged the hole used to access user data - Fallible said, “The McDonald's fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response."
A McDonald’s India (West and South) spokesperson said in a media statement, “We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices.”
The company, reports pointed out, had not denied that personal information was being leaked.
A lack of strong data privacy and protection laws for customers in India has previously been criticised too.
Fallible said in its blog post, “The lack of strong data protection and privacy laws or penalties in India, unlike the European Union, the United States or Singapore has led to companies ignoring user data protection.”
Now, based on reports, Srinivas Kodali, a Hyderabad-based user of the app has registered a complaint under section 43A of the IT Act, which provides for compensation for failure to protect data.