Security breaches at three firms expose vulnerability of customer information


Customer information collected by three companies, including McDonald’s Corp. and Walgreen Co., has been compromised in recent days.

The incidents highlight the vulnerability of that information, especially when consumers, overwhelmed with the number of online log-ins they need, use “dumb” passwords for their accounts, experts say.

Recent breaches contained such information as names and e-mail addresses. They did not involve crucial personal information, such as Social Security, bank account and credit card numbers, the companies said. In the Walgreen case, medical prescription information was not stolen, the company said.


McDonald’s on Monday notified some customers that information they provided on the fast-food company’s website or in promotions “was improperly accessed by an unauthorized third party.” Information might have included the customer’s name, mobile phone number, postal address and e-mail address. McDonald’s said it had hired the marketing services firm Arc Worldwide to coordinate its e-mail promotions. Arc then hired another company to manage the e-mail list. It was that company, which Arc and McDonald’s would not name, that suffered the breach.

Gawker Media, operator of numerous websites, said its registered users’ user names and passwords were hacked over the weekend. Though passwords were encrypted, they’re still vulnerable and should be changed, the company said. The danger comes if people used the same log-ins for a Gawker site as they do for their other accounts, including financial accounts. Gawker operates the websites Gawker, Gizmodo, Jalopnik, Jezebel, Kotaku, Lifehacker, Deadspin, Io9 and Fleshbot. The Gawker breach led to spam postings using some victims’ Twitter accounts.

Walgreen on Friday said customers subscribing to the drugstore chain’s e-mail distribution list should be on the lookout for spam directing them to another site and then asking for personal data. That was because of an “unauthorized access” to its e-mail list. Only e-mail addresses were compromised — no names, a Walgreen spokesman said Monday, declining to provide further details of the breach.

“The McDonald’s, Walgreens, and Gawker incidents should be a wake-up call for everyone,” said Rob Fitzgerald, president of Lorenzi Group, a digital forensics company.

Andrew Storms, director of security operations for nCircle, a network security and compliance auditing firm, said data breaches were on the rise. “Unfortunately, consumers don’t pay much attention to breach disclosures — even for large brands — because there are so many of them,” he said.

In fact, 63% of organizations reported experiencing at least one security incident or breach during the last 12 months, according to the Global Information Security Trends study by the Computing Technology Industry Assn., a nonprofit trade group.


“More troubling is the feeling that the severity level of breaches has increased over the last several years,” said Steven Ostrowski, spokesman for the association. “Attacks that in the past may have been done for sport or notoriety are now being done more frequently with criminal intent or financial gain in mind.”

For consumers, one danger of stolen names and e-mail addresses is “phishing.” Thieves can create and send e-mails that look like they are from legitimate businesses, such as a bank, and contain your name, trying to trick you into divulging more personal information, which can be used for more serious frauds.

Ultimately, the biggest problem is that people are too trusting and offer too much personal information, said Mike Meikle, chief executive of Hawkthorne Group, a security consulting firm. “The weakest link is the person using the device or piece of software,” he said. “It’s just about having a healthy skepticism. It’s kind of a sad situation, but you have to kind of give everyone the eye. It’s just the way it is.”

And so many people use the same or similar user names and passwords for all their accounts that they’re easy to hack, said Graham Cluley, senior technology consultant for information security firm Sophos and operator of the Naked Security blog.

“People choose dumb passwords, like ‘password’ or ‘letmein’ or the brand of monitor they’re looking at,” Cluley said. Instead, they should use a random password for each site, rather than words in the dictionary that are easily hacked. Because it’s unwieldy to manage those, consumers should use password storage software. There are many examples, but free programs include LastPass and KeePass, he said.