Poland Data Protection Office Fines McDonald's After Data Breach

McDonald's must pay almost $5 million for failing to conduct a risk assessment of the personnel system that the third party, 24/7 Communication, built for it, Poland's Personal Data Protection Office said Monday.

In addition, the vendor, 24/7, was hit with a fine of roughly $50,000 for its role in the breach, the Polish office added.

Under an agreement between McDonald's and 24/7, the data system collected personnel information that was available to the employer and restaurant owners. However, the global burger chain ceded "authority to manage the resources and configuration of the IT system" to 24/7 Communication, the privacy agency said.

After an investigation, the Polish privacy unit said "both" companies were responsible for implementing "appropriate technical and organisational measures." However, neither organization conducted a risk analysis or implemented technical and other appropriate measures, the agency added.

McDonald's reported a data breach to the agency, noting the information potentially exposed included passport or national identification numbers, work start and end times, position and McDonald's restaurant numbers, the Polish office said. The number of individuals impacted or the date(s) when the breach happened or was discovered were not reported.

The agency said the breach "resulted from a server misconfiguration, which [24/7 Communication] was responsible for," but "the investigation revealed that McDonald's failed to verify" 24/7's "ability to secure data."

Additionally, McDonald's "notified former employees only by issuing two press releases," which the agency said "cannot be considered direct notification of a personal data breach."