95,000 files affected in hacking of McDonald’s jobs site
McDonald’s Canada says TORONTO the jobs section of its website has been hacked, compromising the personal information of about 95,000 applicants over the last three years.
The company said Friday the accessed information included names, addresses, phone numbers, employment histories and other standard job application information of those who applied online between March 2014 and March 2017. The site doesn’t collect social insurance numbers, banking information or health information, McDonald’s said.
“At this time, we have no information that the information taken has been misused,” it said in a statement. “We apologize to those impacted by this incident.”
Ira Nishisato, partner and national leader of cybersecurity and cyber risk-management at the law firm Borden Ladner Gervais LLP in Toronto, said it’s usually unclear how personal data will be used in the early stages of a security breach. “When large scale data breaches occur you have a tip of the iceberg phenomenon,” he said.
Nishisato said there is a black market for personal information on the so-called dark web, a part of the Internet not easily publicly available and largely unregulated.
“Hackers who are able to penetrate systems through data breaches will resell personal information for considerable amounts of money,” he said. “That can lead to identity theft and other illegal activity.”
An increasing number of class action lawsuits stemming from data breaches has prompted organizations to take preventative steps against potential cyberattacks, Nishisato said.
“When it comes to a data breach, it’s not an if, it’s a when,” he said.
A McDonald’s Canada spokesman said it appears the breach occurred in mid-March.
Adam Grachnik said McDonald’s has notified every provincial and territorial privacy commissioner as well as the Office of the Privacy Commissioner of Canada of the breach.
A spokeswoman for the federal privacy watchdog said the office is aware of the website breach.
“We’re following up with the organization with respect to what took place and what the company is doing to mitigate the situation,” Anne-Marie Cenaiko said in an email. “The company has submitted a breach report, which we will be reviewing.”
The company said all applicants affected by the breach would be notified by mail, or through other contact information. McDonald’s also said applicants affected by the breach could call the company’s dedicated assistance line.”
At this time, we have no information that the information taken (from the breach) has been misused.