No company is immune to data breaches and other cybersecurity threats. In fact, larger companies with extensive amounts of data to secure and sprawling, international networks may be at a heightened risk level, despite larger IT budgets. This point was driven home by the recent announcements from McDonald's and Volkswagen that each corporation had experienced a data breach impacting their consumer data. The fast food empire and automobile manufacturer, respectively, are currently looking into their next steps.
A personal data problem
McDonald's announced its breach at the beginning of June, according to Security Magazine. Data from the breach came from all over the world, with information reported compromised in Taiwan, South Korea and the U.S.
In those Asian markets, compromised personal information included customer emails, phone numbers and addresses which were used for food delivery. No personal data was reported stolen in the U.S. The corporation noted that none of the compromised information was of a "sensitive or personal" nature. Other information involved in the breach included restaurant square footage and other franchise data. Nevertheless, McDonald's announced that it was contacting customers and regulators in two different places, according to CNN.
The McDonalds announcement quickly caught the attention of cybersecurity experts. According to Tessian co-founder Ed Bishop, speaking with Security Magazine, the breach is a prime example of why employee education is key for companies — as some of the data could be used for future phishing scams against franchises. In a multinational corporation the size of McDonald's, that can be an extensive undertaking.
"The warning for all McDonald's employees and franchisees, then, is to watch out for phishing emails and verify any requests for payments or information with the supposed source via another means of communication before complying with the request. No matter how urgent the message appears, always take a minute to check its legitimacy," Bishop explained.
In its statement, McDonald's said that it has enlisted the help of an external consultant to help determine the scope of the breach and appropriate action. The company also credited its investment in cybersecurity infrastructure for helping it catch the issue early. The data in question was exposed for about a week before access was cut off.
Third-party issues are a continuing trend
While the McDonald's case is a clear example of the need for consistent employee cybersecurity education, Volkswagen's recent data breach illustrates a different common problem for larger companies: third-party vendors that make mistakes.
On June 11, the American branch of the automotive giant announced that the files of about 3.3 million consumers had been breached — mostly customers who had purchased an Audi vehicle between 2014 and 2019, according to Automotive News. In its statement, Volkswagen said that the vast majority of the data was contact information and not necessarily sensitive, with only a small amount of financial data compromised.
The impacted data was compromised when a third-party vendor, Michigan-based Shift Digital, left a file unsecured.
The situation is relatively similar to a recent breach of another company Accellion, which serves as a third-party vendor for several prominent law firms, financial institutions and universities. The software company's file sharing application, called File Transfer Appliance (FTA), contained a zero-day vulnerability and was almost 20 years old.
Cybersecurity you can trust
Whether you're a world-dominating franchise or a growing up-and-coming enterprise, it's essential to keep your data secure. This is especially true if you're working with large amounts of personal data, like both McDonalds and Volkswagen were. A consumer data breach won't just cost you in lost time and resources fixing the problem but could result in litigation from impacted consumers or even fines from a regulator. One of the easiest and most important ways to shore up your network is by ensuring all of your applications are protected by modern, secure identity frameworks. This can include multi-factor authentication, and some vendors are even moving to integrate biometric recognition technologies such as fingerprint readers.