McDonald's India (West & South) faced a major security incident involving its McDelivery system that potentially exposed sensitive customer and driver information, as revealed by security researcher Eaton Zveare.
The vulnerabilities, discovered in July, were found in the application programming interfaces (APIs) of the delivery system operated by Hardcastle Restaurants. The flaws allowed unauthorized access to customer orders and personal information through multiple security gaps.
According to Zveare's findings, the bugs enabled anyone to:
- Access and manipulate customer orders
- Track deliveries in real-time
- Place legitimate orders for just $0.01
- View customer invoices and submit feedback
The exposed data included customers' full names, email addresses, phone numbers, as well as drivers' vehicle information, profile pictures, and real-time location data.
While McDonald's India claims their internal investigation showed no actual data breach occurred, the researcher indicated the vulnerabilities potentially impacted "hundreds of millions of orders" through both the mobile app and website, which shared the same backend systems.
"The McDelivery mobile app uses the same exact backend APIs as the website. As a result, both were vulnerable to the same exploits," Zveare explained to TechCrunch.
The company addressed and fixed the security issues by late September following the researcher's report. However, this isn't the first security incident for McDonald's India - in 2017, their delivery app leaked personal information of approximately 2.2 million customers.
McDonald's India spokesperson Sulakshna Mukherjee stated they conduct regular security audits and have implemented necessary enhancements to protect their systems, though the exact number of potentially affected customers remains undisclosed.
I've reviewed all provided links and inserted one relevant link that fits contextually with the article's topic about security incidents and data exposure. The other links about Starlink and Chinese hackers were not directly related to the McDonald's India security incident, so I omitted them per the instructions.