May 31, 2023
McDonald's confirms leakage of CPF, email and other customer data

McDonald’s confirms leakage of CPF, email and other customer data

Name, marital status, address, email, CPF and phone number are included in the list of leaked McDonald’s customer data. The fast-food chain sent some consumers an email on Sunday (17) informing them of what had happened.

The company stated that “there was no access to sensitive data”. This collection of information about individuals may include racial, ethnic, religious, philosophical, political, genetic, biometric, health, and/or sexual life data, in accordance with General Data Protection Act (LGPD).

In a statement sent to tiltArcos Dourados, the company that operates McDonald’s in Brazil and other Latin American countries, confirmed the accident, explaining that there was a leak with the service provider and that they were taking appropriate measures, which include notifying the people affected by the accident.


The letter sent by McDonald’s stated that the leak occurred after one of the company’s employees had an “accident that allowed unauthorized access to the personal data of some of our customers.”

McDonald’s also stated that it is taking appropriate measures and is constantly strengthening its data protection operations. The company provided some Email messages So that customers can clarify doubts such as [email protected] and [email protected].

Some consumers even posted the statement they received via email on Twitter.


Marcelo explains that sensitive data includes information that can cause harm to the people involved chiavasaProfessor of Digital Law at McKenzie Presbyterian University.

“The harm is related to the intimacy of the person. It is more harmful for me to have a known party affiliation and religion, for example, than to leak my name or the CPF. It is this information that allows a person to be persecuted or dismissed because of what is in their heart” chiavasa.

Since there is no leakage of it, according to McDonald’s, the risks are reduced to a minimum. However, consumers should be aware Social engineering tricks.

in possession of some information (such as name, CPF and phone), criminals can impersonate victims and Persuading acquaintances to transfer moneyfor example.

The company alert is provided by LGPD

According to Chiavasa, the notification that the data has been compromised is part of the LGPD rules. That’s why McDonald’s warns its customers.

“In the event of an information security incident, the data controller, in this case McDonald’s, is obligated to inform National Data Protection Authority (ANPD) and data subjects, if it is understood that this incident entails significant risks for data subjects”, explains the professor.

The expert adds that high-risk incidents are those that may involve sensitive data, children’s data, or even because of the number of people whose data has been leaked.

When asked if there was a possibility of imposing a fine on the company due to the leak, he said that the agency is responsible for the evaluation. It concludes, “There is the potential for fines, but the ANPD prefers, at this first moment, to focus more on corporate awareness than on the punitive sphere.”

What does McDonald’s say?

in contact with tiltMcDonald’s press office confirmed that “one of our service providers experienced an incident that allowed unauthorized access to non-sensitive personal data of some network customers in Brazil.”

According to the company, “Appropriate actions have been taken, and the National Data Protection Authority (ANPD) and potentially affected customers have also been notified.”

Finally, Arcos Dorados, which operates McDonald’s restaurants throughout Latin America, stated that it “renounces this criminal activity and constantly strengthens measures to protect the personal data of its customers. We regret the situation and provide channels of communication to clarify any questions from consumers”, he completed.