McDonald’s AI “McHire” platform was breached, allowing for the potential exposure of 64 million applicants private data

For employers, sorting through applications is ordinarily a tedious but necessary part of the hiring process. Enter AI, with artificial intelligence employers can now have AI tools sort candidates based on specific prompt criteria, shortening the time it takes to sort through dozens or even hundreds of applications and propelling the most worthy candidates to the top of the list for human review.

Or at least, that was the idea. However recently for McDonald’s that idea backfired with a simple mistake, a security flaw in their AI hiring platform dubbed “McHire” or McHire.com allowed attackers to access the logs of any user in the system simply by using the account and username “123456”.

This allowed access to an administrator account for Paradox.ai, the vendor behind the creation of the McDonald’s AI hiring platform, and the ability to query “Olivia”. Olivia is is the chatbot potential applicants would chat with as they submitted their application.

The data they were able to access included applicants’ names, emails, addresses and phone numbers. In total there were 64 million records accessible in the system at the time the breach occurred.

Luckily, the security flaw was discovered by researchers instead of true bad actors. The breakdown of how it was discovered can be found on the blog by security researchers Ian Carroll and Sam Curry. We have reported on their research before when they discovered a major flaw with Kia and other car brand manufacturers allowing for remote access to vehicles (even while they’re actively being driven).

It's a sharp reminder that just because AI solutions may make things easier, doesn’t mean that best practices are automatically being followed. The human review is still an important component when deploying any system that will gather large amounts of PII (Personally Identifiable Information) and it’s important to know the rules and restrictions you must follow when collecting that data for your business.

Below are three rules we recommend following when collecting PII in your business:

1. Collect Only What’s Necessary (Data Minimization)

Only gather the PII that is absolutely essential for the purpose at hand. Avoid collecting excess or sensitive data unless it is required. This reduces risk in the event of a data breach and shows respect for user privacy.

2. Clearly Inform and Obtain Consent

Be transparent about what data is being collected, why it’s needed, how it will be used, and with whom it might be shared. Always obtain informed consent before collecting any PII, especially for sensitive data like health, financial, or biometric information.

3. Protect the Data with Strong Security Measures

Use up-to-date encryption, access controls, and secure storage practices to protect PII from unauthorized access, loss, or misuse. Regularly audit systems and train employees on proper data handling procedures.

These rules not only build trust with users but also help ensure compliance with regulations like GDPR, CCPA, HIPAA, CMMC and more. If compliance or data protection is a concern for your business, Valley Techlogic can be your go-to partner in creating secure data collection and safeguarding practices alongside deploying industry leading cyber security preventions within your business. Reach out today to learn more.

Looking for more to read? We suggest these other articles from our site.

This article was powered by Valley Techlogic, leading provider of trouble free IT services for businesses in California including Merced, Fresno, Stockton & More. You can find more information at https://www.valleytechlogic.com/ or on Facebook at https://www.facebook.com/valleytechlogic/ . Follow us on X at https://x.com/valleytechlogic and LinkedIn at https://www.linkedin.com/company/valley-techlogic-inc/.