The popular fast-food chain McDonald’s accidentally sent out more information than they should – along with coupons for free fries, the emails also included passwords of a database associated with its Monopoly VIP game.
The Monopoly UK VIP game began in late August. However, a recent roundup of emails containing various prizes for winners included much more than just the prize coupons.
The blunder was caught and brought to attention by a researcher named Troy Hunt, along with a few winners who were actually tech-savvy and knew what they received. According to experts, if the credentials had fallen into ‘the wrong hands,’ then there would’ve been cheating and player rip-offs at a mass scale.
However, according to McDonald’s, they immediately changed the passwords of the server as soon as the negligence was notified to them.
Mohit Tiwari, the CEO of Symmetry Systems, declared in a statement to Threatpost that an error made by a human is extremely difficult to alleviate. Incidents like these should become an for organizations to identify and lock large amounts of data of customers.
Tiwari further said:
“Modern data-store security products bring zero-trust principles to data, ensuring that there is no one point of failure and that risk-based controls monitor every access to crown-jewel data”
McDonald’s Monopoly VIP Server Credentials Incident
McDonald’s Monopoly VIP is quite an old tradition that was initiated in 1987. In this, customers purchase items from McDonald’s, collect tickets, and insert the codes of those tickets on McDonald’s website to redeem prizes.
Since this year’s Monopoly VIP game is running through October 19, the company’s game site said:
“Collect and complete property sets to win prizes! Once you’ve completed a set, visit the website address printed on the winning game piece and enter all the property codes to claim your prize,”
However, on September 6th, Australian web security consultant Hunt tweeted a screenshot of the email that was sent to a prize winner with database passwords and captioned:
“Never trust a clown to secure your connection strings.”
Never trust a clown to secure your connection strings 🤡 pic.twitter.com/BWJ70TqNnw
— Troy Hunt (@troyhunt) September 6, 2021
Not only this, but another McDonald’s Monopoly VIP game-winner, having the username “cretorsphereco” posted a TikTok video with the title: “I don’t want these, Please answer emails McD,” He explained the credential leak and further mentioned:
“Currently I have the keys to the kingdom. And I don’t want them.”
After Hunt’s tweet, McDonald’s took action against it, which was ensured by a follow-up tweet by Hunt that said:
They've been notified and passwords (well, the same password on both production and development / staging…) have already been changed. As to how you end up publishing *both* your connection strings into a mass email remains a mystery…
— Troy Hunt (@troyhunt) September 6, 2021
McDonald’s acknowledged the credential leak on September 7th, as mentioned in a statement to the BleepingComputer. The fast-food chain further said:
“Due to an administrative error, a small number of customers received details for a staging website by email. No personal details were compromised or shared with other parties. Those affected will be contacted to reassure them that this was a human error and that their information remains safe. We take data privacy very seriously and apologize for any undue concern this error has caused.”
Human Error and Securing Customer Data
According to Javvad Malik, a security awareness advocate for KnowBe4, errors like these are a big threat to all organizations. He further continued:
“Mcdonald’s stated that this leak was due to human error — which is a far more common occurrence than one may think. It’s why it’s important that all organizations take steps to reduce the risk posed by human error. This includes having processes that involve checks so that no service goes live, or no changes are made without security assurance such as penetration testing.”
He mentioned that all these checkups would help create a habit of security awareness.
Cybersecurity pros trained for users should first specifically lock down all consumer data, which is indeed a juicy target for all cybercriminals, said Mohid Tiwari, CEO of Symmetry Systems.
“The knee-jerk response to such errors is to double down on application security — but perfectly securing hundreds of millions of lines of code is an impossible ask and doing surface level code scans (‘AppSec’) or asking for software bill of materials (SBOM) are extremely low-leverage activities,” He further declared. “In this case, protections around data can ensure that even if attackers know the database location/IP, username, and password, they are unable to use these — since data store access is confined to specific application-roles, IAM, and cloud-network perimeters, etc.”
Lastly, he mentioned that security tools for data could further observe and monitor how various applications obtain data.
Truth be told, this isn’t the first time any large company has become involved in a data screw-up. Data breaches have touched every industry either caused by themselves or certain threat actors. From Microsoft getting involved in an email hack to T-Mobile endangering their customer’s sensitive information, accidental data leaks revolve everywhere.
This is why companies need to ensure that all their data especially related to consumers is stored safely. They further need to polish their cybersecurity practices to stay away from data breaches.