McDonald’s breach: Not catastrophic but not a Happy Meal either
It’s no surprise that McDonald’s is an attractive target for hackers. The iconic burger chain is the world’s second-largest employer, after Walmart, with 1.7 million employees in 39,000 locations across 100 countries.
Its assets are worth more than $33 billion but its brand value is more than four times that, at $143.8 billion, the seventh highest of all U.S. corporations. Its annual revenue is more than $21 billion.
It long ago gave up bragging about how many hundreds of millions of customers it has served — now if it mentions it at all it’s just “billions and billions.”
That’s a lot of burgers. A lot of money. And a lot of data, which is the currency of online crime.
But at least for the moment, it looks like the recent cyber attack on the company could have been a lot worse.
McDonald’s said attackers had breached data in the U.S., South Korea, and Taiwan, including some business contact information for U.S. employees and franchisees, plus information about specific restaurants including seating capacity and the square footage of play areas.
But it said no customer data was compromised in the U.S., and that the employee data exposed wasn’t sensitive or personal.
It also said this was not a ransomware attack. It didn’t disrupt business operations and there was no demand for a ransom, either to decrypt data or to agree not to post it publicly online.
An ominous trend
So almost no harm, right? Just a minor annoyance, prompting a warning to employees and franchisees to watch out for phishing emails.
Well, perhaps on the surface. Clearly this wasn’t even close to the damage caused in the recent Colonial Pipeline ransomware attack, which led to the shutdown of 45% of the fuel supply to the eastern seaboard for almost a week, prompting panic buying and price spikes. Or to the attack on JBS Foods, the world’s largest meat supplier, which led to the temporary shutdown of all its beef plants in the U.S. and a payment of $11 million to the hackers.
It also doesn’t qualify as a threat to national security. While McDonald’s is the most popular fast-food chain in the world, it’s not critical infrastructure. If it goes down, there is no existential threat to the power grid, transportation, healthcare, utilities, or the food supply.
Still, it’s yet one more example of an ominous trend, where it seems that hacking groups that are beyond the reach of U.S. law enforcement are breaking in, almost at will, to multinational corporations that, given their resources, presumably would be best able to invest the time and money into better cyber security.
Ironically, McDonald’s said it had invested more in cyber security in recent years, which it said helped it to respond more quickly to the intrusion.
“McDonald’s understands the importance of effective security measures to protect information, which is why we’ve made substantial investments to implement multiple security tools as part of our in-depth cyber security defense,” a spokesperson said.
But it still got breached. And McDonald’s is no outlier. Besides Colonial and JBS, auto giant Volkswagen recently acknowledged in a letter to affected parties that information on more than 3.3 million customers and prospective buyers had been exposed after one of its vendors left a cache of customer data unsecured on the internet.
That data included names, postal and email addresses, and phone numbers. A smaller number of customers, in the 90,000 range, also had data relating to loan eligibility including driver’s license numbers compromised, and the company said a “small” number of those records included date of birth and Social Security numbers.
All these breaches, of major corporations occurred in about a month. And Prevalion CEO Karim Hijazi, former director of intelligence for security firm Mandiant, told Fox Business that “it really is only going to get worse. We’re going to see a lot more of this.”
That should be no surprise either. Researchers from Proofpoint just reported on what they termed a “robust and lucrative criminal ecosystem,” in which ransomware gangs “often buy access from independent cyber criminal groups who infiltrate major targets and then sell access to the ransomware actors for a slice of the ill-gotten gains.”
In short, the criminals continue to up their game. Which means their targets, like the organizations just attacked, need to up their game as well. The irony is that in many cases they could, but they haven’t. Because the playbook — many playbooks, actually — on how to become a much more difficult target for hackers, has been around for years. Obviously, the advice bears some repeating.
The list of best practices starts with software security. As Jonathan Knudsen, technical evangelist at the Synopsys Software Integrity Group put it, “Every organization in every industry is a software organization. Fast food? Oil pipeline? Global shipping? They all depend on software for critical business functions.”
“Consequently, every organization in every industry must embrace a proactive approach to cybersecurity. Without a security mindset in all parts of the organization, the risk of disaster is high,” he said.
How does a security mindset yield better software? Through implementing what is called a secure software development life cycle (SDLC), which means building security into that software during every phase of development. How to do that is also well established.
Next, automated tools for static, dynamic and interactive application security testing can flag weaknesses as developers are writing and assembling code. Software composition analysis helps developers find and fix known vulnerabilities and potential licensing conflicts in open source software components.
At the end of development, penetration testing can mimic hackers to find weaknesses that remain before software products are deployed. If an organization doesn’t have the expertise or capacity to do all that on its own, managed services providers can help.
Beyond the fundamentals of building better software security, the cyber security industry is awash in other frameworks, lists of best practices, and standards.
- President Joe Biden, barely four months into his first term, issued an “Executive Order on Improving the Nation’s Cybersecurity.” It covers software (including a detailed section on software supply chain security), cloud services, multi-factor authentication, encryption, information sharing, endpoint detection, and incident response. It also calls for leveraging the buying power of government with procurement requirements, meaning federal agencies would be forbidden to buy any digital products or services that don’t meet specific security standards.
- The NIST Secure Software Development Framework (SSDF) and the Building Security in Maturity Model (BSIMM), an annual report on software security initiatives by the Synopsys Software Integrity Group, document best practices that, in many cases, offer demonstrated value in multiple industries.
- An 81-page report released in April by the Institute for Security and Technology’s Ransomware Task Force offers “specific suggestions on things that can be done to minimize the risk, help manage the response and to put appropriate resources onto it,” former FBI chief information officer Gordon Bitko told Fox Business, adding “I think industry and government should take those recommendations seriously.”
Finally, information sharing between government and the private sector on cyberattacks could put organizations on notice about imminent threats and help them mitigate the impact if they are attacked.
This has been highly controversial for years — many private sector organizations and privacy advocates have complained that the government version of information sharing is a “one-way street” in which they are expected to share while the government doesn’t.
But Devin DeBacker, a former deputy assistant attorney general in the Department of Justice, argued in a recent post on Lawfare that, at least when it comes to foreign cyberattacks, Congress has already given the president the authority to mandate information sharing, under the International Economic Emergency Powers Act (IEEPA).
While it would require the president to declare that foreign cyberattacks are a national emergency, “that has already happened” under President Obama and continued under President Trump, he wrote.
If President Biden issues an order under the IEEPA, DeBacker said that would “allow the federal government to capture a broad swath of information that could be used to identify foreign cyberthreats; analyze vulnerabilities in particular attacks and in the broader hardware, software, and services supply chain; and assess current and future consequences to national security, the economy and foreign policy.”
Doing even a substantial portion of all this will take time, of course. As experts said for years, cyber security is a journey, not an event. And it will never make an organization entirely bulletproof.
But cyber criminals are collaborating and getting better all the time. If the good guys don’t do the same thing, headlines like those of the past month will be daily events. And modern society won’t be able to rely on the critical infrastructure it has long taken for granted.
That is an existential threat. It ought to be treated as such.