Massive security compromise at McDonald’s has put millions of job candidates’ personal data out on the streets due to a password that would give any cybersecurity expert nightmares: “123456.”
Security researcher Ian Carroll uncovered the alarming finding when he was able to easily hack into the administrative system employed to handle McDonald’s AI-driven job interview system. The hack impacted nearly everyone who had applied for work at McDonald’s franchises this year, which could have revealed names, phone numbers, email addresses, home addresses, and other sensitive personal information.
The weakness was focused on Paradox.ai, the firm that created McDonald’s AI-powered job interviewer Olivia. The chatbot interviews for 90% of McDonald’s locations, gathering massive amounts of personal data from job candidates such as their availability, contact information, and answers to personality tests.
How the Breach at McDonald’s Occurred
Carroll’s entry into the system was embarrassingly easy. While McDonald’s job site web page typically directs users to a single sign-on system, he saw a tiny text link to an alternate Paradox employee log-in page. When he attempted the most rudimentary password combination possible, “123456” as both username and password, the system allowed him through immediately.
Once he was inside, Carroll uncovered something even more troubling. By browsing the internal site’s code, he discovered an API that enabled him to tap raw chat information from all conversations Olivia had ever had. Through a simple technical trick involving an XHR request parameter, he obtained chat histories from 64 million job applicants.
The leaked information extended beyond individual data. Carroll also discovered employment status change history and authentication tokens, which provided a full view of McDonald’s hiring process and applicant information.
The hack also revealed some amusing limitations of Olivia, McDonald’s chatbot interviewer. Internet users have posted screenshots of the chatbot leading applicants in circles, asking them to visit the hiring website, which then redirects them to the chatbot. When one frustrated job seeker complained about the loop, Olivia allegedly gave him nonsensical responses.
These discussions expose the existing limitations of AI-driven hiring platforms in spite of firms hurrying to adopt them in their operations.
McDonald’s AI Ambitions Hit Snag with Security Vulnerability Disclosure Issues
When Carroll attempted to alert Paradox to the security vulnerability, he encountered a second issue: the company lacked a well-established security disclosure point of contact. Their security page provided nothing more than boilerplate assurances that users shouldn’t fret about security concerns.
Finally, the constant emailing of “random people” at the company by Carroll was able to reach McDonald’s and Paradox. The firms confirmed they had patched the flaw in early July, but failed to give information on how long the system was open to attack or give information on their response to impacted applicants.
This follows McDonald’s ongoing expansion of artificial intelligence usage across every facet of its operations. Earlier this year, the company revealed plans to implement AI in administrative activities, sensors, order verification, and other restaurant operations in all 43,000 of its restaurants globally.
But McDonald’s has also seen failures in AI adoption. The chain last year abandoned tests for an IBM-created AI drive-thru system, proving that technology titans can also go astray with real-world AI adoption in quick-serve restaurants.
Cautionary Tale for AI-Driven Recruitment and Third-Party Risk
McDonald’s hack is a harsh reminder of how often weak passwords are, despite decades of cybersecurity warnings. “123456” continues to show up on lists of the most common passwords and is therefore a hacker’s go-to for breaking into systems.
For the millions of applicants impacted, this accident serves to underscore the increasing dangers of entrusting personal data to AI systems, particularly when these systems are not adequately protected. With ever more companies employing AI in recruitment and other sensitive operations, effective cybersecurity controls are more essential than ever before.
The case also brings into question the obligation of companies to safeguard applicant information as well as the requirement for greater security controls in AI-based recruitment platforms.
