The security gaps reportedly compromised the privacy of McDonald’s India (West & South) customers, exposing personal details. Credit: Ken Wolter/Shutterstock.

Security flaws in McDonald’s India (West & South) delivery system have exposed significant vulnerabilities, potentially compromising the personal data of customers and drivers, according to a report via TechCrunch.

The issue was identified in the McDelivery service’s application programme interfaces (APIs), which are critical for order processing and tracking.

Go deeper with GlobalData

Data Insights

The gold standard of business intelligence.

Find out more

The security flaws were discovered by Traceable AI security researcher Eaton Zveare, who found that the McDelivery APIs were not adequately verifying user permissions.

Zveare exclusively revealed to TechCrunch that flaws in the company’s delivery system, McDelivery, allowed unauthorised individuals to exploit its API.

This vulnerability enabled anyone to access, hijack, or redirect orders, track them in real time, or even place legitimate orders for just $0.01.

The issue stemmed from the API’s failure to properly verify whether the person making the requests was authorised to do so. The bugs also granted access to invoices and allowed unauthorised feedback submissions for customer orders.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

The security gaps have reportedly compromised the privacy of customers of McDonald’s India (West & South), which is owned by Hardcastle Restaurants, by exposing their personal details.

The researcher reported the vulnerabilities to the fast-food chain in July 2024. McDonald’s addressed and rectified the flaws by late September.

Despite the potential risks, McDonald’s India told Tech Crunch that a “thorough verification of systems and logs” has not indicated any breach of customer data.

The company has not released any information regarding the number of customers who might have been affected by the exposure.

Zveare’s findings suggest that the security flaws could have exposed access to “hundreds of millions of orders”.

This incident is not the first instance of data security concerns for McDonald’s India; in 2017, approximately 2.2 million customers’ personal information was leaked through the company’s delivery app.

In early 2024, McDonald’s faced regulatory challenges when the Food and Drug Administration in the state of Maharashtra suspended the licence of an Ahmednagar outlet for using cheese substitutes without adequate disclosure.