Recently it was reported on a blog that McDonald India’s McDelivery application was haemorrhaging user data of up-to 2.2 million users. This is inclusive of the personal email addresses, physical addresses and associated coordinates, phone number(s), name and any associated social media details of the patrons.
The information was provided by a Bangalore based security startup, Fallible, who allege that they contacted McDonald’s with relevant data in early February and this was acknowledged by a senior IT management officer in the company. But since then, the loophole has yet to be plugged and Fallible have stated,
“continued effort to get an update for the fix after the initial acknowledgement has failed.”
Due to contacting McDonald’s under their responsible disclosure agreement, Fallible could not go public with the data immediately.
The reason for this data leak according to Fallible is as follows, “An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.” The firm also claimed that it has found more than 50 such instances of data leaks in other Indian organisations.
This is exacerbated by the lack of data protection and privacy laws or any associated penal action in India, in stark contrast to the Europear Union, United States and even near by Singapore. Where the provision of appropriate safe-guards leads companies to have a more robust pipeline in-case of alleged data leakage or unlawful breaches. Also, due to a lack of public awareness and education on the subject means that most are unaware or crucially ignorant to such problems that may very well be alarming with a push to digitise infrastructure.
Follow us on our social media to keep up-to date with the latest in the world of technology news.