McDonald’s India app McDelivery had leaked personal information of its customers for an unspecified duration of time, Cyber security firm Fallible reported on Saturday.
The leaked details include “name, email address, phone number, home address, accurate home co-ordinates, and social profile links” for “more than 2.2 million” of its users.
Cyber security experts said hackers could use the information to access financial details of users, including credit/debit card information and e-wallet details.
McDonald’s operations in India are split into two entities – McDonald’s India (West & South) and McDonald’s India (North & East), and the McDelivery app and website are owned and operated by the former entity.
The leak is not said to have impacted data of customers in North and East of India as they use another app and website.
Fallible has stated that they first reported the issue to McDonald’s India on February 4, though it’s possible the leak has been around for much longer. It’s unclear if anyone else knew about the leak and if they were able to exploit it to download data of all McDonald’s India (West & South) customers. The leak remained available for hours after Fallible’s blog post was published, so if the data hadn’t been accessed earlier, it could’ve certainly been downloaded since.
McDonald’s has plugged the leak. However, Fallible states “The McDonald’s fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response.”
An official spokesperson for McDonald’s India (West & South), the company that owns and operates the McDelivery app, sent the following statement to Gadgets 360, who verified the leak, “We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices.”
The company, reports pointed out, had not denied that personal information was being leaked.
A lack of strong data privacy and protection laws for customers in India has previously been criticised too.
Fallible said in its blog post, “The lack of strong data protection and privacy laws or penalties in India, unlike the European Union, the United States or Singapore has led to companies ignoring user data protection.”