McDonald’s Canada says info of 95,000 job applicants compromised

McDonald’s Canada says the jobs section of its website has been hacked, compromising the personal information of about 95,000 applicants over the last three years. (Photo by Raysonho @ Open Grid Scheduler / Grid Engine (Own work) [CC0])

The company said Friday the accessed information included names, addresses, phone numbers, employment histories and other standard job application information of those who applied online between March 2014 and March 2017.

The site doesn’t collect social insurance numbers, banking information or health information, McDonald’s said.

“At this time, we have no information that the information taken has been misused,” the company said in a statement. “We apologize to those impacted by this incident.”

Ira Nishisato, partner and national leader of cyber security and cyber risk-management at the law firm Borden Ladner Gervais LLP in Toronto, said it’s usually unclear how personal data will be used in the early stages of a security breach.

“When large scale data breaches occur you have a tip of the iceberg phenomenon,” he said. “You’re aware certain information may have been compromised but you’re typically not aware of the full extent of the breach or of what use that information may have been put to.”

Nishisato said there is a black market for personal information on the so-called dark web, a part of the internet not easily publicly available and largely unregulated.

“Hackers who are able to penetrate systems through data breaches will resell personal information for considerable amounts of money,” he said. “That can lead to identity theft and other illegal activity.”

An increasing number of class action lawsuits stemming from data breaches has prompted organizations to take preventative steps against potential cyber attacks, Nishisato said.

“When it comes to a data breach, it’s not an if it’s a when,” he said. “It’s fair to say you can never be 100 per cent cyber-secure. But there is a great deal you can do you limit your exposure and liability from a legal perspective.”

A McDonald’s Canada spokesman said it appears the breach occurred in mid-March.

Adam Grachnik said McDonald’s has notified every provincial and territorial privacy commissioner as well as the Office of the Privacy Commissioner of Canada of the breach.

A spokeswoman for the federal privacy watchdog said the office is aware of the website breach.

“We’re following up with the organization with respect to what took place and what the company is doing to mitigate the situation,” Anne-Marie Cenaiko said in an email. “The company has submitted a breach report, which we will be reviewing.

The company said all applicants directly affected by the privacy breach would be notified by mail, or through other contact information, such as email or phone, if a mailing address wasn’t on the application form.

McDonald’s also said applicants affected by the breach could call the company’s dedicated assistance line.

McDonald’s said the site was shut down immediately and an investigation was launched when they learned of the breach.

“The careers webpage will remain shut down until the investigation is complete and appropriate measures are taken to ensure that this type of security breach does not happen again,” McDonald’s said.

It is advising anybody interested in applying for a job to do so in person at any McDonald’s Canada restaurant.

McDonald’s has more than 1,400 restaurants in Canada and more than 80,000 Canadian employees.