Hamburglar strikes again, feasts on $2,000 in meals using customer's McDonald's app
Fraudsters have gained access to some customers' McDonald's app accounts to run up big bills
The mysterious Quebec hamburglar has struck again, racking up more than $2,000 worth of meals at different McDonald's in Montreal. This time, an unsuspecting Toronto tech writer got stuck with the bill.
"I was just panicked because that's a lot of money," said Patrick O'Rourke, managing editor of the tech news site, MobileSyrup.
The fraudster pulled off the fast-food scam by infiltrating O'Rourke's McDonald's mobile app account, which was linked to his debit card. The scammer then used the app to order more than 100 meals for pick-up between April 12 and 18. The smorgasbord included McFlurries, Big Macs, Chicken McNuggets and poutine.
"It could be one guy who was able to hack my account and he shared it with a bunch of his friends across Montreal, and they all just went on a food spree," said O'Rourke, who's baffled by the crime.
PSA: If you live in Canada do NOT use the McDonald's app and put payment information into it. The many victims whose money has been stolen include someone I know in Toronto. <a href="https://t.co/BAVGut4FJL">https://t.co/BAVGut4FJL</a>—@RohanSJ
None of the four victims CBC News has interviewed live in Quebec, but in each case, fraudsters ordered meals for pick-up at a McDonald's in the province.
O'Rourke's bank eventually refunded his money, but he's unhappy with how McDonald's handled the matter. He claims the company missed the mark by doing little to help him and by not issuing warnings to other customers.
"To me, it just seems like a little bit negligent ... like they don't really care," he said. "McDonald's should at least be sending out a mass email to everyone that has the account [to say], 'Hey, you should reset your password.'"
The Canadian McDonald's app, called My McD's, is just the latest target for cyber criminals. Last year, they were busy stealing Aeroplan and PC Optimum rewards points from some members' online accounts. Many of the fraudsters involved in PC Optimum cases also carried out their crimes in Quebec.
Cybersecurity expert Ritesh Kotak said that in the digital era, companies need to pull out all the stops to protect consumers from cyber criminals.
"We're moving to a cashless society," said Ritesh who's based in Toronto. "They put all this money into app development, are they putting the same amount of money and rigour and research into the security component of it?"
McDonald's Canada told CBC News that it's only aware of "some isolated incidents" involving compromised app accounts. The company said it keeps personal information secure and that it's confident in the security of its app.
McDonald's didn't say how fraudsters have infiltrated customer accounts, but it recommended that customers practice due diligence by beefing up their passwords and keeping them secure.
"If guests notice any unauthorized purchases, we recommend they contact their bank and change their password immediately," said spokesperson Adam Grachnik in an email.
Where's my refund?
Grachnik also said McDonald's app users receive an email confirmation after every transaction.
O'Rourke's bill — which totaled $2,034 — consisted of more than 100 email receipts. He didn't notice them until they had run up over the course of a week, because the emails landed in a separate "updates" folder in his inbox.
When he called McDonald's to report the case, O'Rourke said he was surprised that the company wouldn't refund his money, and instead told him to deal with his bank.
"I find it pretty shocking that a massive company like McDonald's wouldn't just take responsibility for something like this," he said. "They have more than enough money to be reimbursing people for these issues."
Brian Coleman of Kitchener, Ont., was also disappointed when McDonald's didn't offer him a refund. Someone used his app in late March to run up $267 worth of McDonald's orders in Montreal.
"I expected them to do the refund because it was their fault," he said. "It's their application. If it's not secure, they should take responsibility."
Coleman had his app linked to his credit card, so McDonald's directed him to his credit card company which eventually issued the refund.
Cybersecurity expert Kotak said even if the culprit is something as simple as a weak password, McDonald's should keep customers informed and work with victims to resolve problems.
"When something like this happens, it's a real step back and a loss of consumer trust," he said.
"They need to bring in experts to say, 'This is the reason for this,' and then work with the banks to ensure that consumers are refunded."
Kotek also recommends that McDonald's implement more protections such as two-step authentication when members access their account.
PC Optimum recently launched stronger password requirements and two-step authentication following its spate of points thefts.
CBC News asked McDonald's what steps it has taken in light of the recent fraud cases.
"Similar to other apps, we are constantly improving the My McD's App and updating it with enhancements to make the user experience as strong and safe as possible," said spokesperson Grachnik.