McDonalds delivery customers put at risk by possible data breach

Delivery system for McDonalds in India had a worrying bug, but luckily, threat actors didn't find it.

featured-image

A delivery system for McDonalds in India was flawed in a way that exposed , and allowed people to make fraudulent orders, experts hae claimed. Cybersecurity researcher Eaton Zveare from Traceable AI, who found a bug in the API of the delivery system in McDonalds India (West & South). The delivery system, which is apparently owned by a company called Hardcastle Restaurants, had a vulnerability which exposed delivery customer names, email addresses, and phone numbers.

For the drivers, it exposed vehicle numbers, profile pictures, and tracked real-time location of their deliveries. Besides, the bug allowed people to access, hijack, redirect, or track orders in real-time. They could also make orders for as little as $0.



01. No data breach recorded Zveare found the vulnerabilities in June 2024, and McDonalds fixed it in September. Allegedly, no threat actors stumbled upon this bug, and no customers were actually exposed.

McDonald’s India said a “thorough verification of systems and logs” showed the flaws did not result in a breach of its customer data. “We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” Sulakshna Mukherjee, a spokesperson at McDonald’s India (West & South), said in a statement emailed to . While we don’t know exactly how many people were put at risk through the bug, was told “hundreds of millions” of orders were exposed.

“The McDelivery (West & South) mobile app uses the same exact back-end APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told the publication. Since the delivery system for India North & East is different, these parts of the country were not affected, and other countries are safe, too.

.