McDelivery, McDonald’s India application, was allegedly leaking personal data – including name, email addresses, phone number, home address, home co-ordinates and social profile links – for as many as 2.2 million of its users, according to Fallible, a cyber security company. In the blog post, Fallible says that it had contacted McDonald’s on the 4th of February 2017, received an acknowledgement from a Senior IT Manager at the company on the 13th of February, but as of the 18th of March, McDonald’s had still not fixed the application, and at the time that Fallible disclosed the vulnerability online, they hadn’t received an update from the company.
The issue, according to Fallible, was “An unprotected publicly accessible API endpoint for getting user details coupled with serially enumerable integers as customer IDs can be used to obtain access to all users personal information.”
This is probably not what McDonald’s had in mind when they wrote in their McDelivery app description:
“We may disclose certain personally identifiable information, to third party service providers, listed below –
– information you provide us such as name, email, mobile phone number.
– information we collect as you access and use our service – device information, location and network carrier.”
A subsequent statement issued by McDonald’s India (South and West), also sent to MediaNama, the company has clearly not denied that this information is being leaked by the application, and only points out that financial information (credit card details, wallet passwords or bank account information) is not stored by them. At the same time, they’ve urged users to update the McDelivery app, thus indicating (but not acknowledging) that there was an issue, and it may have been fixed.
The statement from McDonald’s India (South and West):
“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices. At McDonald’s India, we are committed to our users’ data privacy and protection.”
Still not fixed, it seems
In an update, Fallible has disclosed that McDonald’s India contacted them, saying that the issue was fixed. However, according to Fallible, the “fix is incomplete and the endpoint is still leaking data. We have communicated this again to them and are waiting for their response.”
Section 43A of the IT Act
Meanwhile, Srinivas Kodali says he has filed a complaint with the Hyderabad Police under Section 43A of the IT Act, which states:
43 A Compensation for failure to protect data (Inserted vide ITAA 2006):
Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation, not exceeding five crore rupees, to the person so affected. (Change vide ITAA 2008)
Explanation: For the purposes of this section
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.
Need for a Privacy and Data protection law
There are no strong data protection laws in India: a privacy law was being worked on 4-5 years ago, but it has been in a limbo. In fact, the Indian state, represented by the has gone on record in the Supreme Court of India saying that Privacy is not a fundamental right.
The issues, it seems, will only increase from here on as more and more people come online. Fallible says that “We have in the past discovered more than 50 instances of data leaks in several Indian organisations. In fact, we are pleasantly surprised when we find Indian companies without a personal or payment data leak vulnerability in their APIs.”