As the home page of McDonald’s Canada celebrates the upcoming April 5th National Hiring Day, the burger chain also revealed that its career Web site — where job applicants leave their resumes — has been hacked.
“The personal information of approximately 95,000 restaurant job applicants has been compromised,” the company said in a statement. That covers anyone who applied online for a job between March 2014 and this month.
“The personal information compromised was limited to applicant name, address, email address, phone number, employment background and other standard application information,” the company said. “Importantly, our application forms do not request highly sensitive personal information such as social insurance numbers, banking information or health information.”
However, there’s no doubt that having a person’s resume would go a long way to helping a criminal create a fraudulent document and possibly impersonate someone.
“All sensitive documents that retain personal identification, especially in an employment context, should be encrypted,” said Ann Cavoukian, head of Ryerson University’s Privacy and Big Data Institute. “In this day and age it is not a big deal to encrypt data. And it doesn’t matter that they don’t have the social insurance number [of applicants]. They have a lot of other sensitive information — their employment history, when they worked. Just because they don’t have your social insurance number or banking information doesn’t mean its not sensitive. Why not protect the data when you can do it so easily in this day and age?”
She also noted that in its statement McDonald’s said nothing about offering some sort of identity insurance to victims. Often organizations hit by data breaches involving personal information offer to pay for one year of monitoring from a credit monitoring agency.
In an interview Ira Nishisato, national leader of the cyber security and risk practice at the law firm Borden Ladner Gervais said Canadian law on an organization’s “standard of care” for personal information is still evolving. A court would likely look to best practices suggested by industry associations, he said. But he believes these days “encryption is expected” even if personal information doesn’t include social insurance numbers and the like. “If you fail to encrypt you’re at risk,”
In addition to dispensing legal advice on risk Nishiato’s firm represents Canadian organizations that have been sued by data breach victims in class action lawsuits. He couldn’t say if one will be launched by those who filed online job applications at McDonald’s Canada, but admitted that “class actions are increasingly common in Canada following large scale data breaches.”
What the outcome could be in damages isn’t known, because while several cyber class action lawsuits have been certified here none have yet gone to trial. Certification of a class action suit is enough to increase pressure on companies to settle, Nishisato admitted.
According to one report, last year an Ontario judge approved a $400,000 settlement to victims of the 2014 hack of Home Depot’s point of sale system. The news story didn’t detail how many victims the settlement covers. At the time of the settlement there was no evidence that anyone had suffered a fraudulent credit or debit card charge, the judge noted. But as part of the settlement Home Depot Canada had to create a $250,000 fund for future documented claims of Canadians whose payment card information and/or email address was compromised as a result of the data breach.
If the $400,000 settlement seems to be small compared to the size of the business Home Depot does here, the judge noted that the only people whose data was compromised were those who swiped their credit/debit cards when making purchases. Those who had a chip and pin card that inserts into a card reader — and by 2014 that would be the majority of Canadians — werent’ affected.
In its statement McDonald’s said “When we learned of this privacy breach we immediately shut down the site and launched an investigation. The careers webpage will remain shut down until the investigation is complete and appropriate measures are taken to ensure that this type of security breach does not happen again.”
McDonald’s Canada told ITWorldCanada.com by email it couldn’t provide a spokesperson for a phone interview. However, company spokesperson Adam Grachnik told CBC News the breach was apparently discovered this month. “McDonald’s Canada monitors its databases for any unauthorized access,” it quoted him as saying. “This monitoring identified unauthorized access to the database.”
Applicants who were directly affected by the breach will be notified by mail or phone, the company said.
The company’s franchisees own and operate more than 1,400 restaurants across the country with around 80,000 full and part-time employees. Restaurant opportunities include everything from managers, assistant managers, shift managers to maintenance facilities personnel. Head office opportunities range from managers, training, human resource, supply chain and marketing personnel to IT staff.