First, it was Ashley Madison. Then it was Sony. Now it is McDonald’s India. According to media reports, US-based fast food restaurant chain, McDonald’s India app, McDelivery, has reportedly leaked the personal data of more than 2.2 Mn users.
Disputing this development, the official spokesperson of McDonald’s India (west & south) made an official statement: “We would like to inform our users that our website and app does not store any sensitive financial data of users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measures on a regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices. At McDonald’s India, we are committed to our users’ data privacy and protection.”
Statement from McDonalds India. pic.twitter.com/1tK5D1FACp
— McDonald’s India (@mcdonaldsindia) March 18, 2017
As per reports, user information like name, phone number, email addresses, home addresses, and social profile links have been leaked out. These reports further point to, Fallible, a Saas cyber security company, which had contacted McDelivery about the data leak on February 7, 2017. They received an acknowledgement from a senior IT manager at the firm. The company’s blog reported, “The McDonald’s fix is incomplete and the endpoint is still leaking data.”
McDonald’s is not the first company to face a data breach in India. Earlier in 2015, companies like Times Internet’s Gaana.com, cab hailing app Ola and online restaurant search and discovery service startup Zomato have also faced this issue.
In May 2016, Inc42 reported that the personal data of about 1 Cr IRCTC users were leaked from the website’s server.
With demonetisation coming into play and an increase in cyber security crime in this decade, the Ministry of Electronics and Information Technology (MeitY) has came up with a set of guidelines for wallet firms. In March 2017, MeitY released new guidelines drafted by Information Technology (Security of Prepaid Payment Instruments) Rules 2017 for security of prepaid payment instruments, under the Information Technology Act 2000.