McDonald’s has been hit with a proposed class action filed by three delivery customers who claim the fast food giant failed to protect their personal information from unauthorized access.
At the center of the lawsuit is an April 2021 data breach during which hackers reportedly gained access to addresses, phone numbers and email addresses of “thousands” of customers in South Korea. As a result, those whose information was compromised in the incident—including residents of and visitors to Korea who registered an account with McDelivery and used the app or website to order food for delivery—face a heightened risk of phishing scams and identity theft, according to the suit.
“Affected customers include many foreigners—U.S. citizens included—who visit Korea…U.S. citizens residing in Korea include tens of thousands of members of the U.S. armed forces and their families, English language teachers, employees temporarily assigned to work in Korea, and other ex-patriots.”
The plaintiffs, three residents of Korea, allege that while defendants McDonald’s USA, LLC and McDonald’s Corporation represented that customers’ data would be kept safe, they maintained the information in a non-encrypted file “in a condition vulnerable to cyberattacks.” If McDonald’s had implemented reasonable security measures, the data breach “would not have happened,” the lawsuit claims.
“Plaintiffs provided this data to Defendants with the expectation that Defendants would manage, maintain, and secure this data in full compliance with all applicable laws and regulations,” the plaintiffs attest. “They did not.”
The Data Breach
The lawsuit concerns an April 15, 2021 data breach that the Wall Street Journal described in a June 11, 2021 article as “another example of cybercriminals infiltrating high-profile global companies.”
McDonald’s first notified the Korean public of the security breach in a June 13 post on its website that stated a “file” containing McDelivery customers’ physical addresses, email addresses and phone numbers was accessed by unauthorized individuals, the suit relays. Tellingly, the notice admitted that McDonald’s “vulnerable” servers had been inspected and additional security measures had been implemented following discovery of the breach, the complaint states.
An email notice sent to customers a few days later contained “an almost identical message” and an apology for McDonald’s “delay” in identifying and addressing the issues that arose from the breach, according to the suit.
The plaintiffs note that McDonald’s has yet to disclose “any information” about the identity of those who unlawfully accessed their data and whether the information is still “in the cybercriminals’ hands.”
The lawsuit claims McDonald’s violated two Illinois privacy laws and a Korean privacy law by failing to implement proper data security systems and protect the personal information with which it was entrusted. As a result of the defendants’ alleged security failures, those whose information was involved in the breach have suffered damages including lost time, anxiety, emotional distress, loss of privacy and “other harm,” the complaint attests.
The Plaintiffs’ Experiences
The three plaintiffs claim to have already experienced adverse effects of the McDonald’s data breach.
One plaintiff says he has been hit with an “exponential increase” in unwanted spam emails, while another claims to have received “constant notifications” of unauthorized email login attempts in Japan.
The third plaintiff says he was exposed to “attempted extortion” when he received a phishing email in which an individual claimed to have hacked his “personal photos, video files, conversations, documents, e-mails, contact information, search history, notes, social media records, and deleted files.” The author then stated that they had discovered “interesting photos and videos” of the plaintiff and threatened to send the “very personal and inappropriate” content to the plaintiff’s contacts unless he paid $1,700 within two days, the complaint relays.
According to the suit, McDonald’s has not offered the plaintiffs—or anyone else whose information was unlawfully accessed—any compensation or means by which to prevent phishing scams or identity theft. The lawsuit claims the individuals “at their own cost, must now and in the future expend time and effort to closely monitor their accounts to guard against phishing scams and identity theft.”
What Relief Is the Lawsuit Seeking?
The lawsuit looks to provide monetary compensation for those whose information was involved in the breach and require McDonald’s to pay for phishing scam monitoring and identity theft protection services.
Additionally, the case looks to require McDonald’s to beef up its data security, disclose “with specificity” how and when the data breach occurred, develop and disclose “accurate and truthful” data retention and transmission policies, and “otherwise comply with all applicable legal standards.”
Who Does the Lawsuit Look to Cover?
The proposed class action looks to represent anyone who registered for a McDelivery account to place an order for food delivery while in Korea through the McDonald’s delivery app or website and whose personal information was compromised in the April 15, 2021 data breach announced by the company.
How Do I Join the Lawsuit?
There’s usually nothing you need to do to join a class action when it’s first filed. If the case moves forward and settles, that’s when “class members,” i.e., those who fit the criteria in the section above, would receive notice of the settlement with instructions on how to claim their share.
In the meantime, one of the best things you can do is to stay informed. Check back to this page for updates or sign up for ClassAction.org’s free weekly newsletter here to get class action news and settlement information sent straight to your inbox.