A ‘Hamburglar’ Is Defrauding McDonald’s Customers in Canada
Canadians are frustrated by perceived security flaws as hackers spend thousands.
You can’t call yourself a major fast food chain these days without a proprietary smartphone app. They’re an invaluable way to streamline in-store transactions, enable deliveries, and encourage customer loyalty through deals and rewards at a time when the dining landscape is more competitive than ever.
But in the case of Canada’s version of the McDonald’s app, a hacking spree has left may customers, well … not loving it. Over the past few months, reports from various outlets suggest that a number of customers have fallen victim to at least one (and potentially multiple) Quebecois “Hamburglar(s)” who have hacked into customer accounts to rack up hundreds and even thousands of Canadian dollars worth of fraudulent McDonald’s orders using ill-gotten payment information.
Watch: How to Make a Copycat McDonald's McRib
Though the stories of this hamburger hacking and french-fried fraud date back to the beginning of the year, the most detailed first-person account of the situation comes courtesy of Toronto-based tech writer and recent victim Patrick O’Rourke. He says that even though the McDonald’s iOS app wouldn’t accept an order he himself placed (despite double-checking that his payment info was entered correctly), more than 100 orders did go through at various Montreal-area McDonald’s locations in under a week. Though each order was worth no more than $30 CAD, the Big Macs, McNuggets, and (fittingly) poutine fries—sometimes placed mere minutes apart—soon drained his bank account of more than $2000 CAD.
In addition to some sort of unseen flaw that allowed hackers to access and use his payment information, O’Rourke expressed dismay that the McDonald’s app didn’t have safeguards in place to cancel the (mc)flurry of orders. “It seems the fast food company assumes that ‘hey, this guy must really like Filet-O-Fish enough to order dozens of sandwiches in just a few hours,’” he wrote on MobileSyrup.
It looks like whatever security flaw allowed for the fraud has affected more than just O’Rourke’s account. Another CBC story from early February tells of how one Halifax woman had $483.65 CAD in Montreal-based McDonald’s purchases made without her knowledge, leaving her with just $1.99 CAD left in her bank account by the time she’d caught on. The Canadian news outlet mentions they’ve interviewed four victims of the scam in total.
A number of tweets suggest other app users have also fallen victim to Canada’s hacking hamburglar.
As of yet, McDonald’s has been hesitant to admit that there’s anything seriously wrong with their app’s security.
“While we are aware that some isolated incidents involving unauthorized purchases have occurred, we are confident in the security of the app. We do take appropriate measures to keep personal information secure,” McDonald’s senior manager of external communications Adam Grachnik told MobileSyrup, clarifying that the app doesn’t actually collect or store any payment information.
Instead, Grachniks statement attempts to shift blame to user password security. “Just like any other online activity, we recommend our guests be diligent online by not sharing their passwords with others, creating unique passwords and changing passwords frequently,” Grachnik said.
That’s likely not enough to assuage the fears and frustrations of victims like Ontario resident Brian Coleman, who was not issued a refund by McDonald’s after hackers spent $267 CAD of his money on a Montreal fast food binge.
"I expected them to do the refund because it was their fault," he told the CBC. "It's their application. If it's not secure, they should take responsibility."
Is the McDonald’s IT team working to shore up security behind the scenes? Can the app be trusted at all? Should Americans be worried too? So far answers aren’t forthcoming. However, the tale of the Quebecois Hamburglar is an important reminder that if you can use your phone and your debit card to order a Big Mac, there’s always a chance someone else can too.