Poor Cybersecurity Practices Could Have Caused a Major McDonald’s Data Breach
A lesson for all of us.
There are many advanced tools to help prevent cyberattacks from occurring, but the best tools are the simplest. Basic cybersecurity practices, like using strong and unique passwords and multi-factor authentication, can mean the difference between fending off bad actors and dealing with a ransomware situation.
This applies to everyone from individuals to companies of all sizes. It doesn’t matter if your business is small or global in scale: These cybersecurity measures need to be followed. Otherwise, your network and data could be at risk.
You only need to look at what happened to McDonald’s this week to see why. As reported by WIRED, the company suffered a data breach, specifically to their hiring portal. Luckily, the breach was not intentional; rather, it was the discovery of two cybersecurity researchers, who found the data of 64 million McDonald’s job applicants (in case you needed a reminder of how large a corporation McDonald’s is).
The researchers breached McHire, McDonald’s AI-powered chatbot designed for hiring. But the breach didn’t happen because researchers used sophisticated tactics to break into McDonald’s network. Instead, as it turns out, McHire, operated by Paradox.ai, had a login option configured with its default credentials: The username was 123456, and the password was 123456. The company did not configure the bot with multi-factor authentication, nor were there any advanced cybersecurity prevention measures. It was 123456, and 123456.
McHire is more than McDonald’s version of ChatGPT. The bot is responsible for accepting applications from McDonald’s candidates from dozens of counties across the world, as well as conducting those interviews through the bot “Olivia.” Data included names, email addresses, and phone numbers.
This type of data breach is entirely preventable. Had Paradox.ai set up McHire with unique credentials and, importantly, MFA, this breach would not have been possible, at least not on this scale. 123456/123456 is bad enough, but even MFA alone would have stopped bad actors who realized the credentials issue—even with that knowledge, they wouldn’t have had access to the secondary authentication method, and this story would not have occurred. Fortunately, researchers discovered the vulnerability before bad actors did. Paradox.ai has patched the flaw.
It’s a good lesson for us all—use strong and unique passwords, and always use MFA when offered.
Share This
