Sunday, March 19, 2017

5 Takeaways from McDonald’s purported data leakage


              Fast food aficionados all over India tend to splurge on McDonalds menu either through in-store mode or home-delivery mode.

              The preferred mode for home-delivery is the McDelivery APP.

              McDonalds operates in India through two separate entities i.e one for North &  East India and another for West &  South India. 

              The welcome screen on http://www.mcdonaldsindia.com/ requests the user to choose his/
her area. Clicking on either link will take the user to independent web-screens.

              The North & East footprint is with ‘Connaught Plaza Restaurants Private Limited’, led by Mr. Vikram Bakshi, JV Partner and Managing Director, North & East India

The South & West India footprint is with ‘Hardcastle Restaurants Private Limited,’ led by Ms. Smita Jatia, Managing Director, South & West India

              Hence, there are separate McDelivery Apps for North &  East India and West &  South India.

              According to a blog post published by Cybersecurity firm Fallible , "an unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information."

              The data leakage was through McDonald's India app McDelivery for West & South India. The data leaked personal information of its customers for an unspecified duration of time. This included "name, email address, phone number, home address, accurate home co-ordinates, and social profile links" for "more than 2.2 million" of its users.

              As customers in North and East of India use another app and website,  their data doesn't seem to be impacted by this leak.

              As of now, McDonald has not issued any Press Statement on its website i.e @ http://www.mcdonaldsindia.com/media_center.html

              However, an official spokesperson for McDonald's India (West & South), the company that owns and operates the McDelivery app, sent the following statement to Gadgets 360:

              “We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices”.

        
      Takeaway 01) Login through a new-sign up only, do not log-in through social medial user accounts i.e Facebook or Google Plus

              Takeaway 02) Opt to sign-out if your interaction with the APP is less than 3 times a month. Instead create a fresh User ID, if you intend to interact with the APP, less than 3 times a month.

Takeaway 03) Use the ‘Contact Us’, option to let the APP Administrator to disable your account, if you do not use for 3 months. If you have not used the APP for 3 months, it means your need to have an account with the APP is minimal.

              Takeaway 04) Consider opting for deliveries through Aggregator APPs rather than Individual restaurant APPs. Of course, it is assumed that Aggregator APPs are more secure as compared to Individual restaurant APPs

Takeaway 05) Take calculated risks; Nothing is safe in this world

                            Recently McDonalds has embarked on a major branding exercise with its ‘Experience of the Future’ restaurant’s (EOTF) being launched in India. The first EOTF will be in Mumbai.

              McDonalds is looking for - AGM Information Technology (Consumer Facing Technology).

              One of the major KRAs is – “Drive online delivery and restaurant process improvement, integration with ecosystem partners (food aggregators, delivery, payment providers)”

              By the way I always enjoy McDonald’s menu at the store only, so have not downloaded the McDelivery App!!