McDonald's has urged users to the McDelivery app in India to update it after an independent security firm alleged that personal and sensitive data of around 2.2 million users was being leaked. The fast food giant tweeted a statement on Sunday (18 March) and said, "...our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information."
However, the company did not deny nor confirm the data leak.
Security firm Fallible claimed that it had contacted McDonald's about discovering the alleged security flaw on 4 February and received an acknowledgment on the issue from the fast food giant's Senior IT manager on 13 February. However, the security firm pointed out that the issue was not fixed until it reported the issue on 18 March on Medium.
The firm wrote in the post that the McDelivery app in India had leaked personal data like names, email addresses, phone numbers, home addresses and social profile links of users.
Following which, McDonald's India posted this statement on Twitter, "We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information.
"The website and app have always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices."
The fast food giant's statement indicated that no financial data of customers was stored on the app and that there was no risk of it being accessed by hackers.
Fallible claimed that McDonald's replied to them and confirmed that it had fixed the issue. However, the security firm claims that the "fix is incomplete" and that the vulnerable endpoint is allegedly still leaking data.
IBTimes UK has reached out to McDonald's for more clarity on the matter and are awaiting a response.