Mar 21, 2017

McDonald's app had a major security flaw, but they won't admit it

BYJayadevan PK

The McDonald’s app in India had a gaping security hole and researchers pointed it out in public last week. When asked about the security flaw, the company sent out the following response:
“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices. At McDonald’s India, we are committed to our users’ data privacy and protection.”
What’s appalling about this statement is that it’s non committal at best and takes its users’ security for granted. The company does not take responsibility for the vulnerability and even tries to give a false sense of security to the user. Sure, the app doesn’t store financial data. But personally identifiable information like phone numbers, names and addresses stored by the company and left exposed by the security flaw, should have been secured.
The statement further goes on to say that users must update the app as McDelivery app on their devices. If the website and app has ‘always been safe to use,’ the timing of ‘we urge the users to take precautionary measures,’ is suspect.
In India, companies often tend to brush hacks and security breaches under the carpet, hoping that no one will ever find out. Take for instance, the case of high profile hacks that happened when a hacker group called Legion compromised servers. All companies denied being hacked. But this poses a huge risk to users, who are completely unaware that their data has been compromised. In countries like US, there are strict security breach notification laws. Companies are required to notify customers and other stakeholders about the breach and take steps to protect their data.
Also see: Exclusive: Interview with hacker group Legion

FactorDaily’s journalism is produced by some of the best brains in the story-telling business. If you like our body of work – deep reportage, domain specialist write-ups, data stories, podcasts and the like – consider supporting the FactorDaily journey.

Support FactorDaily

Jayadevan PK is a writer of FactorDaily.