The list of major American consumer brands that have suffered data breaches this year has grown by one in the last few weeks.
But it’s a big one – McDonald’s™. The company was recently victimized by data breaches that left the personal data of its customers exposed to cyber criminals.
The fast food giant fumbled a major e-mail campaign last month, leaving a wide-open gap for online scammers to lift key data like names, birthdays, addresses, and phone numbers— but not credit card or Social Security numbers.
According to the company, the breach occurred on computer systems operated by an e-mail database management firm hired by McDonald’s long-time business partner Arc Worldwide. (Arc is the marketing services arm of advertising firm Leo Burnett, McDonald’s spokeswoman Danya Proud said in a statement.)
Here’s the letter McDonald’s wrote to its customers, apologizing for the mess – and trying to minimize it, too.
Potential Access to Customer Data by Unauthorized Third Party
Dear Valued McDonald’s Customer,
Our records indicate you previously elected to submit information to McDonald’s in connection with one of our websites or promotions. We wanted to let you know there is a possibility that the limited information you provided to McDonald’s through its websites or promotions was improperly accessed by an unauthorized third party.
By way of background, McDonald’s asked Arc Worldwide, a long-time business partner, to develop and coordinate the distribution of promotional emails.
Arc hired an email service provider, a standard business practice, to supervise and manage the email database. That email service provider has advised that its computer systems recently were accessed by an unauthorized third party, and that information, including information that you provided to McDonald’s, may have been accessed by that unauthorized third party. Law enforcement officials have been notified and are investigating this incident.
McDonald’s does not collect sensitive financial information, such as Social Security Numbers or credit card numbers on-line or through email. As such, the information improperly accessed did not include this type of information. Rather, the limited information you provided to McDonald’s included information required to confirm your age, a method to contact you (such as name, mobile phone number, and postal address and/or e-mail address), and other general preference information.
In the event that you are contacted by someone claiming to be from McDonald’s asking for personal or financial information, do not respond and instead immediately contact us at the number below so we can contact the authorities. Please remember, McDonald’s would not ask for that type of information online or through email.
We apologize for any concern this incident may cause. Protecting our valued customers is very important to us. If you have any questions or concerns, rather than replying to this email, please contact us immediately at our toll-free number 1-800-244-6227.
McDonald’s Customer Satisfaction Team.
Notice McDonald’s tries to downplay the data loss, calling consumer names, birthdays, cell phone numbers, addresses, and email addresses as “limited” personal data. But studies show that cyber-thieves don’t need much more than that to gain access to your personal financial life. Sure, McDonald’s is playing defense here, but is a little transparency after a serious security breach too much to ask?
Our takeaway? If there is one present American consumers really want for Christmas this year, it would be that brand name behemoths become as protective of the personal identifying information of their customers and employees (arguably their most precious asset), as they are covetous of their trade secrets and intellectual property.
Originally posted at Credit.com.
