Business

Hamburglar strikes again, feasts on $2,000 in meals using customer's McDonald's app

Since February, fraudsters have infiltrated some customers' McDonald's app and run up big bills. In the latest case, a scammer ordered more than 100 meals after gaining access to a Toronto tech writer's app.

Fraudsters have gained access to some customers' McDonald's app accounts to run up big bills

Tech writer Patrick O'Rourke is the latest victim of the McDonald's app scam where a fraudster infiltrates a customers' account and runs up big orders. (Bradley Bennett)

The mysterious Quebec hamburglar has struck again, racking up more than $2,000 worth of meals at different McDonald's in Montreal. This time, an unsuspecting Toronto tech writer got stuck with the bill. 

"I was just panicked because that's a lot of money," said Patrick O'Rourke, managing editor of the tech news site, MobileSyrup.

The fraudster pulled off the fast-food scam by infiltrating O'Rourke's McDonald's mobile app account, which was linked to his debit card. The scammer then used the app to order more than 100 meals for pick-up between April 12 and 18. The smorgasbord included McFlurries, Big Macs, Chicken McNuggets and poutine.

"It could be one guy who was able to hack my account and he shared it with a bunch of his friends across Montreal, and they all just went on a food spree," said O'Rourke, who's baffled by the crime.

His case follows a string of complaints from other Canadian customers who've claimed either online or to media outlets that someone hacked their McDonald's app account and ran up big bills.

None of the four victims CBC News has interviewed live in Quebec, but in each case, fraudsters ordered meals for pick-up at a McDonald's in the province.

O'Rourke's bank eventually refunded his money, but he's unhappy with how McDonald's handled the matter. He claims the company missed the mark by doing little to help him and by not issuing warnings to other customers.

"To me, it just seems like a little bit negligent ... like they don't really care," he said. "McDonald's should at least be sending out a mass email to everyone that has the account [to say], 'Hey, you should reset your password.'"

This is just one of the many orders a fraudster made for pick-up at a Montreal McDonald's using Patrick O'Rourke's McDonald's app. (submitted by Patrick O'Rourke)

The Canadian McDonald's app, called My McD's, is just the latest target for cyber criminals. Last year, they were busy stealing Aeroplan and PC Optimum rewards points from some members' online accounts. Many of the fraudsters involved in PC Optimum cases also carried out their crimes in Quebec.

Cybersecurity expert Ritesh Kotak said that in the digital era, companies need to pull out all the stops to protect consumers from cyber criminals.

"We're moving to a cashless society," said Ritesh who's based in Toronto. "They put all this money into app development, are they putting the same amount of money and rigour and research into the security component of it?"

The McDonald's Canada app, known as MyMcD's, allows customers to order food with their mobile devices. (Anjuli Patil/CBC)

McDonald's Canada told CBC News that it's only aware of "some isolated incidents" involving compromised app accounts. The company said it keeps personal information secure and that it's confident in the security of its app.

McDonald's didn't say how fraudsters have infiltrated customer accounts, but it recommended that customers practice due diligence by beefing up their passwords and keeping them secure.

"If guests notice any unauthorized purchases, we recommend they contact their bank and change their password immediately," said spokesperson Adam Grachnik in an email.

Where's my refund?

Grachnik also said McDonald's app users receive an email confirmation after every transaction. 

O'Rourke's bill — which totaled $2,034 — consisted of more than 100 email receipts. He didn't notice them until they had run up over the course of a week, because the emails landed in a separate "updates" folder in his inbox. 

When he called McDonald's to report the case, O'Rourke said he was surprised that the company wouldn't refund his money, and instead told him to deal with his bank.

"I find it pretty shocking that a massive company like McDonald's wouldn't just take responsibility for something like this," he said. "They have more than enough money to be reimbursing people for these issues."

Brian Coleman of Kitchener, Ont., was also disappointed when McDonald's didn't offer him a refund. Someone used his app in late March to run up $267 worth of McDonald's orders in Montreal.

"I expected them to do the refund because it was their fault," he said. "It's their application. If it's not secure, they should take responsibility."

Coleman had his app linked to his credit card, so McDonald's directed him to his credit card company which eventually issued the refund. 

Brian Coleman of Kitchener, Ont., discovered that someone ran up a $267 bill using his McDonald's app to order food. (submitted by Brian Coleman)

Cybersecurity expert Kotak said even if the culprit is something as simple as a weak password, McDonald's should keep customers informed and work with victims to resolve problems.

"When something like this happens, it's a real step back and a loss of consumer trust," he said.

"They need to bring in experts to say, 'This is the reason for this,' and then work with the banks to ensure that consumers are refunded."

Kotek also recommends that McDonald's implement more protections such as two-step authentication when members access their account.

PC Optimum recently launched stronger password requirements and two-step authentication following its spate of points thefts.

CBC News asked McDonald's what steps it has taken in light of the recent fraud cases.

"Similar to other apps, we are constantly improving the My McD's App and updating it with enhancements to make the user experience as strong and safe as possible," said spokesperson Grachnik.

About the Author

Sophia Harris

Business reporter

Sophia Harris has worked as a CBC video journalist across the country, covering everything from the start of the annual lobster fishery in Yarmouth, N.S., to farming in Saskatchewan. She now has found a good home at the business unit in Toronto. Contact: sophia.harris@cbc.ca

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.