Mcdonalds consumer mailing lists hacked by spammers


In an interesting twist to the Walgreen Co. list hacking and phishing attack yesterday, it is noted the Mcdonalds has also recently issued a similar notice to its subscriber base. It is likely these attacks are directly related to the ongoing phishing attempts that large ESP’s have found themselves the target of.

It has been reported  by SecLists today (and confirmed with EMailExpert via Mcdonalds) that McDonald’s is working with law enforcement authorities after malicious hackers broke into another company’s databases and stole information about an undetermined number of the fast food chain’s customers.

“We have been informed by one of our long-time business partners, Arc Worldwide, that limited customer information collected in connection with certain McDonald’s websites and promotions was obtained by an unauthorized third party,” a McDonald’s spokeswoman said via e-mail on Saturday.

It is possible and even likely that data includes full names, phone numbers, postal addresses and e-mail addresses. The notice posted by Mcdonalds is as follows:

Potential Access to Customer Data by Unauthorized Third Party

Dear Valued McDonald’s Customer,

Our records indicate you previously elected to submit information to McDonald’s in connection with one of our websites or promotions. We wanted to let you know there is a possibility that the limited information you provided to McDonald’s through its websites or promotions was improperly accessed by an unauthorized third party.

By way of background, McDonald’s asked Arc Worldwide, a long-time business partner, to develop and coordinate the distribution of promotional emails.   Arc hired an email service provider, a standard business practice, to supervise and manage the email database.  That email service provider has advised that its computer systems recently were accessed by an unauthorized third party, and that information, including information that you provided to McDonald’s, may have been accessed by that unauthorized third party.  Law enforcement officials have been notified and are investigating this incident.

McDonald’s does not collect sensitive financial information, such as Social Security Numbers or credit card numbers on-line or through email.  As such, the information improperly accessed did not include this type of information.  Rather, the limited information you provided to McDonald’s included information required to confirm your age, a method to contact you (such as name, mobile phone number, and postal address and/or e-mail address), and other general preference information.  In the event that you are contacted by someone claiming to be from McDonald’s asking for personal or financial information, do not respond and instead immediately contact us at the number below so we can contact the authorities. Please remember, McDonald’s would not ask for that type of information online or through email.

We apologize for any concern this incident may cause.  Protecting our valued customers is very important to us.  If you have any questions or concerns, rather than replying to this email, please contact us immediately at our toll-free number 1-800-244-6227.

McDonald’s Customer Satisfaction Team

Last updated by at .

Andrew Bonar

The founder of, Andrew Bonar currently resides not far from Sydney in Australia where he performs his primary role as Postmaster for self-service ESP Campaign Monitor

In the past two years alone Andrew has been responsible for the delivery of in excess of 120 Billion messages. With more than 15 years of industry experience, Andrew is widely recognised as a leader in the field of message sending, deliverability and compliance.

In 1996, he co-founded the UK’s oldest privately held ISP, Cheapnet Ltd. In 1998, launched the UK’s first privately held eCommerce payment systems: eBanx Ltd, and in 2003 he launched two of the very first ESP’s in Europe: MailPhoenix and eMailGenie.

From 2006 Andrew served as an independent consultant at organisations throughout Europe, the Middle East, Asia Pacific and the US. More recently serving as Worldwide Director of Deliverability at Emailvision, managing deliverability operations in 22 Countries. Andrew continues developing and evangelising best practices in permission-based marketing with clients and industry associations and travels extensively in Asia, Europe and North America to fulfil these obligations.