McDonald’s is warning customers to be on guard against identity theft, phishing attacks, or other scams thanks to a data breach. What makes the data compromise more concerning is that it is indicative of a growing hacker strategy to go for the low-hanging fruit rather than staging a direct attack.
Hackers did not breach McDonald’s per se. The attackers were able to access the sensitive McDonald’s customer data through a third-party contracted by a third-party contracted by McDonald’s. McDonald’s hired Arc Worldwide to manage its promotional e-mail campaign, and Arc Worldwide hired another third-party to actually distribute the e-mails. That third-party–which remains anonymous–is the one that was hacked.
McDonald’s has sent an e-mail to customers alerting them that their personal information may have been exposed. The e-mail asks customers to be more vigilant about potential identity theft or phishing threats, and asks them to contact McDonald’s in the event that they receive any communications claiming to be from McDonald’s which in any way ask the customer to share personal or financial information.
IT admins should pay close attention to this incident. Just as malware developers have focused more attention on third-party software like Adobe Reader rather than trying to exploit the Windows operating system directly, hackers have also learned that the easiest path to compromising a network is often through a third-party provider.
Partners and vendors often have trusted connections into fortified, high-value networks, and they represent low-hanging fruit that attackers can target. The smaller third-party organizations frequently lack the security policies and controls of the larger companies, and provide an Achilles heel that hackers can exploit to gain access to the more valuable network–often flying undetected under the radar.
There are two things that IT admins need to do in order to protect sensitive data and network resources. First, do some due diligence and establish some security guidelines for third-party providers to ensure they meet security requirements. An extension of that would be to also require third parties contracted by the third party to meet the same requirements and go through the same vetting process before being authorized to connect to the network.
The other thing that IT admins should do is establish monitoring and controls to protect the network even from trusted partners, and prevent access to sensitive systems. It wouldn’t help in this instance, because the compromised database was on the third-party provider’s network, but IT admins still have to strike a balance between collaboration and security.
Like flowing water, attackers will always seek the path of least resistance. As this McDonald’s incident illustrates, that path often goes through trusted third-parties.