McDonald’s hack exposes applicants
TORONTO — McDonald’s Canada said the jobs section of its website has been hacked, compromising the personal information of about 95,000 applicants over the past three years.
The company said Friday the accessed information included names, addresses, phone numbers, employment histories and other standard job application information of those who applied online between March 2014 and March 2017.
The site doesn’t collect social insurance numbers, banking information or health information, McDonald’s said.
“At this time, we have no information that the information taken has been misused,” the company said. “We apologize to those impacted by this incident.”
Ira Nishisato, partner and national leader of cyber security and cyber risk-management at the law firm Borden Ladner Gervais LLP in Toronto, said it’s usually unclear how personal data will be used in the early stages of a security breach.
“When large-scale data breaches occur you have a tip of the iceberg phenomenon,” he said. “You’re aware certain information may have been compromised but you’re typically not aware of the full extent of the breach or of what use that information may have been put to.”
Nishisato said there is a black market for personal information on the so-called dark web, a part of the Internet not easily publicly available and largely unregulated.
“Hackers who are able to penetrate systems through data breaches will resell personal information for considerable amounts of money,” he said. “That can lead to identity theft and other illegal activity.”
An increasing number of classaction lawsuits stemming from data breaches has prompted organizations to take preventative steps against potential cyber attacks, Nishisato said.
“When it comes to a data breach, it’s not an if it’s a when,” he said. “It’s fair to say you can never be 100 per cent cybersecure. But there is a great deal you can do you limit your exposure and liability from a legal perspective.”
It appears the breach occurred in mid-March. McDonald’s has notified every provincial and territorial privacy commissioner as well as the Office of the Privacy Commissioner of Canada of the breach. The company said all applicants directly affected by the privacy breach would be notified by mail, phone or email.