McDonald's India McDelivery app said to be leaking 2.2 million customer's data

The leak that took place yesterday saw approximately the data of 2.2mn users in India being leaked with sensitive information like name, phone number, email address, home address, social media profile links which is crucial in accessing the information of debit, credit cards apart from mobile wallets.

The official response from McDonald's was posted on their twitter page, "Our website and app do not store any sensitive financial data of users like credit card details, wallet passwords or bank account information".

"As a precautionary measure, we would also urge our users to update the McDelivery app on their devices", it added. These reports further point to, Fallible, a Saas cyber security company, which had contacted McDelivery about the data leak on February 7, 2017.

Fallible said that it reported the company about the endpoints error on February 4.

"An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information". This comes after an independent blog - Hackernoon - released a report saying that users' personal data was compromised.

Using the McDonald's McDelivery app to place your orders from the fast food chain?

Statement from McDonalds India. "In fact, we are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs". "The website and app has always been safe to use, and we update security measure on regular basis", according to the post.

McDonald's did not immediately comment over the weekend.

India often suffers from poor data protection and privacy laws, meaning online sites, apps and services are often much more poorly protected than in the UK.

The North & East division of McDelivery and the website are run by a different organization, which makes it pretty clear that the leak is only seen in the South & West division of the app.

  • Arturo Norris