McDonalds delivery customers put at risk by possible data breach

Red padlock open on electric circuits network dark red background

(Image credit: Shutterstock/Chor muang)

A researcher found a flaw in a McDonalds API which allowed them to hijack orders
The bug also leaked sensitive information
It was fixed in September 2024, but users should still be careful

A delivery system for McDonalds in India was flawed in a way that exposed sensitive customer information, and allowed people to make fraudulent orders, experts hae claimed.

Cybersecurity researcher Eaton Zveare from Traceable AI, who found a bug in the API of the delivery system in McDonalds India (West & South).

The delivery system, which is apparently owned by a company called Hardcastle Restaurants, had a vulnerability which exposed delivery customer names, email addresses, and phone numbers. For the drivers, it exposed vehicle numbers, profile pictures, and tracked real-time location of their deliveries. Besides, the bug allowed people to access, hijack, redirect, or track orders in real-time. They could also make orders for as little as $0.01.

No data breach recorded

Zveare found the vulnerabilities in June 2024, and McDonalds fixed it in September. Allegedly, no threat actors stumbled upon this bug, and no customers were actually exposed.

McDonald’s India said a “thorough verification of systems and logs” showed the flaws did not result in a breach of its customer data.

“We conduct regular audits and assessments to continuously strengthen our security measures, and have all the necessary enhancements implemented, ensuring all our systems are up to date and secure,” Sulakshna Mukherjee, a spokesperson at McDonald’s India (West & South), said in a statement emailed to TechCrunch.

While we don’t know exactly how many people were put at risk through the bug, TechCrunch was told “hundreds of millions” of orders were exposed.

“The McDelivery (West & South) mobile app uses the same exact back-end APIs as the website. As a result, both were vulnerable to the same exploits,” the researcher told the publication.

Since the delivery system for India North & East is different, these parts of the country were not affected, and other countries are safe, too.

Lessons in cybersecurity from the Internet Archive Breaches
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.