Application security, Breach, Data Security, Threat Management, Vulnerability Management

Exposed McDonald’s data may be linked to third-party


The recent theft of customer information belonging to McDonald's is thought to be part of a larger security breach that may affect more than 105 companies that contract with Atlanta-based email marketing services firm Silverpop Systems.

In a notice on its website, McDonald's recently warned customers who registered for promotions or subscribed to any McDonald's website that their email addresses and other personal information may have been compromised by hackers.

The fast-food chain said an unauthorized individual was able to gain access to customer information after defeating the security measures put in place by an email database management firm.

McDonald's did not reveal the name of the firm responsible for maintaining its breached database, but according to at least one report, federal investigators believe it was Silverpop Systems, which also provides marketing services to more than 105 corporate clients.

Silverpop, in a notice to customers on Monday, said that it had suffered a cyberattack that affected a “small percentage” of customer accounts. The company is working with the FBI to investigate the breach and has changed all the passwords for customer accounts.

Federal investigators believe that Silverpop was targeted, along with several other technology providers as part of a broader attack, Bill Nussey, CEO of Silverpop Systems, wrote in the notice.

“Third-party experts have confirmed that the attack was particularly sophisticated, and we are working with customers and industry peers to share what we have learned,” Nussey wrote in a second notice posted on Wednesday.

At least one other company affiliated with Silverpop has issued a warning to customers about the intrusion. DeviantART, a social networking site for art enthusiasts with more than 13 million members, notified users that their email addresses were stolen by hackers who broke into Silverpop's servers.

“This was probably part of a sweep by spammers,” DeviantART wrote in its notice. “Because we value the information that members give us, we have decided not to rely on the services of Silverpop in the future, and their servers will no longer hold any data from us.”

In another incident that may connected, drugstore chain Walgreens revealed late last week that its email marketing list was stolen by cybercriminals who used it to send out legitimate-looking phishing emails.

Walgreens did not reveal how the data was stolen, but coincidentally, the drugstore chain shares a business partner with McDonald's. Both companies use the marketing services firm Arc Worldwide — the company that hired Silverpop Systems, according to reports, to manage McDonald's database. 

In the McDonald's case, the breached database contained information that was gathered through voluntary subscriptions to the company's websites or promotions, the chain said. The data may also have included customer names, postal addresses, home or cell phone numbers, birth dates, gender, and information about users' promotional preferences and web information interests. Social Security numbers and financial information were not involved.

The incidents underscore the importance of ensuring all sensitive data — whether stored internally or with a third-party — is secure, Josh Shaul, vice president of product management at database security company Application Security, told on Wednesday.

“Firms really need to recognize that the money is in the data, the data is in the database, and they better go protect that database if they want to protect the money,” he said.

Most companies are slacking, though, when it comes to database security, Shaul said. According to research by his company, set to be released next month, fewer than 10 percent of databases contain security controls.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.