December 13, 2010, 11:53 AM — McDonald's is warning customers to be on guard against identity theft, phishing attacks, or other scams thanks to a data breach. What makes the data compromise more concerning is that it is indicative of a growing hacker strategy to go for the low-hanging fruit rather than staging a direct attack.
Hackers did not breach McDonald's per se. The attackers were able to access the sensitive McDonald's customer data through a third-party contracted by a third-party contracted by McDonald's. McDonald's hired Arc Worldwide to manage its promotional e-mail campaign, and Arc Worldwide hired another third-party to actually distribute the e-mails. That third-party--which remains anonymous--is the one that was hacked.
The good news for affected McDonald's customers is that the e-mail promotional campaigns do not involve collecting more sensitive information such as Social Security numbers, or credit card information. Still, data such as names, phone numbers, e-mail addresses, physical addresses, and other information that was exposed can be used for social engineering and identity theft attacks.
McDonald's has sent an e-mail to customers alerting them that their personal information may have been exposed. The e-mail asks customers to be more vigilant about potential identity theft or phishing threats, and asks them to contact McDonald's in the event that they receive any communications claiming to be from McDonald's which in any way ask the customer to share personal or financial information.
IT admins should pay close attention to this incident. Just as malware developers have focused more attention on third-party software like Adobe Reader rather than trying to exploit the Windows operating system directly, hackers have also learned that the easiest path to compromising a network is often through a third-party provider.
Partners and vendors often have trusted connections into fortified, high-value networks, and they represent low-hanging fruit that attackers can target. The smaller third-party organizations frequently lack the security policies and controls of the larger companies, and provide an Achilles heel that hackers can exploit to gain access to the more valuable network--often flying undetected under the radar.