McDonald's, others suffer 'Russian doll' effect in series of service provider email breaches under investigation

The recent breach exposing McDonald's customer information was the result of a widespread series of spear-phishing attacks against email service providers that have been under way for about a year and are under investigation by the FBI.

Walgreens experienced a similar attack that pilfered its customers' email addresses, resulting in some customers receiving phishing emails attempting to gather more valuable information from these customers. The pharmacy chain declined to confirm whether the breach occurred within its internal systems or at an email provider hosting that data. Security experts say it's likely related to the email service provider attacks.

McDonald's said a database containing customer email addresses, birth date information, and phone numbers was compromised when its third-party database firm was discovered to have been hacked. McDonald's was contacted by Arc Worldwide, a firm that handles McDonald's marketing and other promotions, that customer information from some of its websites and promotions had been breached via a hack of a firm that handled the database of McDonald's customer emails. Silverpop reportedly was the breached firm in question, but the companies won't confirm or deny the relationship on the record.

The series of attacks targeting email service providers was first reported in November here. The ripple effect on McDonald's and Walgreens' customer data emerged only during the past week. The hacks underline the potential peril and headache to an enterprise when its cloud provider gets hacked.

"The supply-chain risk we are seeing as the increasing specialization of services has companies outsourcing more and even has outsourcers outsourcing. This 'Russian doll' effect means that the biggest doll suffers if any of the smaller dolls has a breach. Outsourcing contracts should require security due diligence on the outsourcer, and subcontracting should trigger more due diligence that passes up the chain," says Chris Wysopal, CTO at Veracode. "A big fear is that more attackers will see the target rich environment for email addresses that has been created by the concentration of marketing emails through a few providers and that these providers come under heavy sophisticated attacks."

Silverpop, meanwhile, says only a small chunk of its customers were affected by the spear-phishing attack that led to a breach around Thanksgiving, and it did not compromise its application infrastructure. "The forensic investigation into the cyber attack on our company and customers has yielded some valuable insights," Silverpop CEO Bill Nussey wrote in a blog post today. "First, we have confirmed that our quick reaction to reset customer passwords was successful in halting the attack. Second, the specialized monitoring systems run by our outside experts continue to confirm that our existing and enhanced security measures are successfully protecting our application and our customers. Third, we are confident that our application infrastructure, the servers and networks behind our products, was not targeted or compromised as part of this attack. Fourth, third-party experts have confirmed that the attack was particularly sophisticated and we are working with customers and industry peers to share what we have learned."

Another email service provider, ReturnPath, says it was victimized by the attacks as well, which it says began with a spear-phishing email attack against its employees. "What likely happened of our end clients was successfully phished, causing their sending systems (in one case an ESP and in another case an in-house system) to be compromised. In both cases, the sending IPs were members of our Certified program, so millions of spam messages did make it through to a couple of the mailbox operators we work with. At this point, we believe that the majority of the outbound spam through the hijacked IPs went to one mailbox operator, not to the general internet," blogged Matt Blumberg, chairman and CEO of ReturnPath.

Jay Chaudhry, CEO at Zscaler, a cloud security firm, says his company has been watching these attacks. "The bad guys are going to go wherever easy sources are for getting credentials. If email can be gotten, it can be sold for spam. If they can get more [user information], it can have more value."

Chaudhry says some email and other cloud service providers do a good job with security, while others are lacking. And attacks that hit cloud providers can have a ripple effect, too, he says. The hack against Gawker that exposed passwords of more than 1 million users also led to other cloud providers, like LinkedIn, to reset any passwords associated with the attack as a precaution, he notes.

Expect more of these cloud attacks that affect multiple organizations and victims, he says. One solution for protecting user accounts is for sites to force strong passwords, he says.

Meanwhile, Walgreens says some of its customers have received spam messages attempting to lure them to another website and to enter personal information.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights