ReynardSecJul 22, 2025

~€4 million fine for McDonald’s Poland because of weak/default credentials and IDOR 🫠

The Polish Data Protection Authority (UODO) has fined McDonald’s Poland PLN 16.9 million (≈ €4 million) and its processor 24/7 Communication PLN 184 thousand (≈ €40 thousand) after a misconfigured server exposed sensitive data.

The UODO is Poland’s data‐protection authority enforcing both GDPR and national privacy laws. PESEL acts like a Social Security Number, uniquely identifying Polish citizens, while passport numbers serve as alternative identifiers for non‐citizens.

Researchers Sam Curry and Ian Carroll discovered an admin panel on the global hiring portal mchire.com by trying default test credentials (123456:123456). Inside, they found an IDOR vulnerability in the PUT /api/lead/cem-xhr endpoint that let them enumerate values and pull applicants addresses, emails, phone numbers, and even chat histories with the AI bot.

Notably, the UODO imposed these hefty fines despite the lack of proof that any data was truly exfiltrated or publicly disclosed.

Show threadlbnvdsJul 22, 2025
@reynardsec Fines even with lack of proof? McDonald’s has the money to challenge this. This sounds like an easy case that will ultimately weaken the application of GDPR and privacy laws. Unbelievable. 
Show threadReynardSec
@lbnvds The possibility of unauthorized access to the data has been confirmed solely by the researchers. The statement about there being no evidence refers to the absence of any signs of mass data exfiltration carried out by bad actors.
Jul 22, 2025 at 9:49amWeb
Show threadlbnvdsJul 22, 2025
@reynardsec Oh, I see, excuse my poor reading comprehension. Thanks for clarifying!