top of page

Nuggets of information stolen in McDonalds data breach

McDonald's, the largest fast-food chain globally, has disclosed a data breach after hackers breached its systems and stole information belonging to customers and employees from the US, South Korea, and Taiwan, according to the National Management Centre.

As the world's leading global foodservice retailer, McDonald's serves almost hundreds of millions of customers every day in more than 39,000 locations in over 100 countries, including almost 1,300 restaurants in the UK, and a staggering 14,000 restaurants in the United States.

Given the enormity of McDonald’s, this data breach has gathered a lot of outside attention both within the fast-food industry and beyond. It must be noted that this is not the first time there has been a large-scale data breach at the company, when in 2017 plaintext passwords and usernames were leaked worldwide.

This data breach was different to the one witnessed in 2017 as it affected employees as well as customers. However, only in the US was employee data obtainable by threat actors, where McDonald’s confirmed that the information was not personal or sensitive.

What is most worrying for the global giant is the vast array of data stolen from customers abroad (South Korea and Taiwan). This data included names, emails, phone numbers, and addresses. This was by far the most sensitive data contained within the leak and the number of customers directly affected is yet unknown.

McDonald’s did confirm that no payment details were among the breach.

All customers affected by the breach will be contacted by official means by McDonald’s in due course.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page