Lessons from the McDonald’s hack

Daniela thought it was a good idea to give her personal information to McDonald’s in exchange for receiving discounts and promotions. “Yes they put good promos, even that,” she told me. But those promotions do not compensate the display of your personal data to third parties not related to McDonald’swhich was what happened on March 30, 2022, when the fast food chain was the victim of a hack that led to the theft of personal information from its customers.

What personal data was stolen from McDonald’s? It is not very clear: neither the corporate communication of the chain, managed by Arcos Dorados México, nor the answers to a questionnaire that I sent to its press team help to clarify.

In fact, McDonald’s has been hermetic in communicating the incident of cyber security: communicated to those affected 16 days after the hack occurred, when the personal data protection law requires maximum speed, so that the owners of the data take measures to protect their security after the leak. McDonald’s published a “notification letter” with details of the hack in a link that is impossible to reach from their website. In practice, it seems that McDonald’s wants to hide or minimize the incident.

In a direct communication with those affected on Good Friday (April 15), McDonald’s He informed them that “it is possible that his name, marital status, address, e-mail, identity document number and telephone number have been left unprotected.”

In the notice posted deep within their network, dated April 13, McDonald’s It adds that among the leaked data there was “email, nationality, zip code, first and last name, date of birth, favorite product at McDonald’s and family interests.”

I directly consulted the communication team of McDonald’s (Golden Arches Mexico) to learn more about the incident, with questions such as: How many Mexican customers were affected by the security incident? (I asked about Mexico, because the violation of information also affected citizens of Costa Rica). How many workers were affected? What personal data was at risk? And how long was this “cyber incident” active? I received a 149-word response:

“Because the ongoing investigations are confidential, we are unable to provide further information at this time. As soon as we learned of the incident suffered by one of our IT service providers [tecnologías de información], we take additional security measures and, in compliance with the regulations on the matter and acting under the principle of transparency, ethics and responsibility; we informed the appropriate Mexican authorities and notified a limited group of consumers in Mexico whose data was possibly unprotected.

“It is important to clarify that we do not store sensitive information or bank details of consumers; and that this information is within the usual framework of our commercial activity and conforms to the Data Protection Act in force in the country.

“At Arcos Dorados Mexico we continue to work with our suppliers to reinforce the security of our customers’ information that allows us to continue offering them the best service in our restaurants.”

Some values ​​consigned in the press release can be questioned. McDonald’s, such as those of “transparency, ethics and responsibility” given the scarcity of information about the incident and the delay in notifying those affected. It stands to reason: in a reputation-based economy, no one likes to admit mistakes or admit that they have put their consumers at risk.

For Daniela, nothing will ever be the same in her relationship with McDonald’s: “The promos are good, but in exchange for the theft of my data it is a very high price. No one should pay for it,” he told her.

Friends, think more than once before handing over your personal data to any provider: are you sure it’s worth it?

Jose Soto Galindo

Editor of El Economista online


Journalist. Since 2010 he edits the digital version of El Economista in Mexico City. Master in Transparency and Protection of Personal Data from the University of Guadalajara. He has a specialization in telecommunications and information technology law. His personal blog is Economicon.

Leave a Comment