McDonald's is the latest high-profile business to be hit by a cyber attack. Last week's exploit successfully penetrated the company's systems, enabling the hackers to steal data from its U.S., South Korean and Taiwanese businesses, according to the Wall Street Journal which broke the story. McDonald's subsequently hired third-party consultants to help with forensic work. It was they who identified what type of data was stolen from where.
Apparently, the company notified Asian regulators a week following the discovery of the exploit. Meanwhile, the company continued to operate as normal.
The Facts
On June 4, McDonald's was the victim of a successful cyber attack involving the exfiltration of data. Reportedly, business data was siphoned in the U.S. including information about U.S. employees and franchisees. However, in South Korea and Taiwan, customers' email addresses, physical addresses and phone numbers were compromised. Also in Taiwan, some employees' names and contact information was compromised.
McDonald's reportedly said that the scope of the information leak was "small" and that it had hired outside consultants after it identified unauthorized access to one of the internal security systems.
McDonalds credited its cybersecurity investments for allowing the company to identify and respond to the threat as quickly as it did. However, it took the company one week to stop the unauthorized access to the data. The company also acknowledged that it needs to fortify its cyber security fabric. In the meantime, it is notifying regulators and Asian customers whose information was stolen.
The attack did not involve ransomware. However, McDonalds is warning people to be vigilant about potential phishing campaigns.
Lessons Learned
No amount of cyber security investments will protect a company from all possible incidents. It's a people, process and technology issue which is constantly evolving. As a result, security fabrics are becoming more complex, necessitating better end-to-end visibility and the ability to react faster.
More fundamentally, CISOs and security professionals need to be thinking in multiple dimensions including core, edge, network, proactive, reactive, firmware, applications, containers, internal and external threats, permissions, authorization, authentication and the company's ongoing cyber risk awareness requirements.
In this case, the attack was launched from an internal security system, though the root cause of the issue has not been reported.
Quick Tips
Every high-profile exploit should serve as a reminder that even big companies with deep pockets also have inadequate security controls. These types of events present a "teaching moment" in which security professionals should scrutinize their own systems and non-security professionals should be reminded of good cyber hygiene practices.
[inlinead-1]
- Cyber security assessments should be ongoing.
- In addition to protecting hardware, software and network assets, their interconnections and data sharing should be well-understood and also hardened.
- Make sure your incident response plan is up to date.
- Make sure that permissions for former employees have been deactivated.
- Remind employees what they can to do avoid or minimize the possibility of falling victim to phishing and malware – what to do and what not to do.
- Remind the security team that even security products can be compromised.