McDonalds confirms leak of CPF, email and other customer data

Name, marital status, address, email, CPF and telephone number are on the list of leaked McDonald’s customer data. The fast food chain sent an email to some consumers on Sunday (17) informing them of what happened.

The company stated that “there was no access to sensitive data”. This group of information from individuals may include racial, ethnic, religious, philosophical, political, genetic, biometric, health and/or sex life data, in accordance with the General Data Protection Act (LGPD).

In a statement sent to tiltArcos Dourados, the company that operates McDonald’s in Brazil and other Latin American countries, confirmed the incident, explaining that there was a leak at a service provider and that they were taking appropriate measures, which include notifying people affected by the incident. .

the leak

The message sent by McDonald’s said the leak occurred after one of the company’s employees suffered “an incident that allowed unauthorized access to personal data of some of our customers”.

McDonald’s also stated that it is taking appropriate measures and that it continuously strengthens data protection processes. The company provided some emails so that customers can clarify doubts such as and

Some consumers even published the statement received by email on Twitter.


Sensitive data involves information that could potentially cause harm to those involved, explains Marcelo chiavassaprofessor of digital law at Mackenzie Presbyterian University.

“The harm is linked to the person’s intimacy. It is much more harmful for me to have my party affiliation and religion known, for example, than leaking my name or CPF. This information is what allows the person to be persecuted or segregated for what that she is in her heart”, says chiavassa.

As there was no leakage of them, according to McDonald’s, the risk is minimized. However, consumers need to beware of social engineering scams.

In possession of some information (such as name, CPF and telephone), criminals can impersonate victims and convince acquaintances to transfer money, for example.

Company alert is provided for by LGPD

According to Chiavassa, the notice that data was compromised is part of the LGPD rules. That’s why McDonald’s warned its customers.

“In the event of an information security incident, the data controller, in this case McDonald’s, has the obligation to inform the National Data Protection Authority (ANPD) and the data subjects, if it understands that this incident entails considerable risk to the holders”, explains the professor.

The expert adds that incidents of considerable risk are those that may involve sensitive data, children’s data or even due to the number of data subjects who had their data leaked.

Asked if there is a possibility of the company being fined for the leak, he says that the ANPD is the body in charge of the assessment. “There is the possibility of fines, but the ANPD is preferring, at this first moment, to focus more on companies’ awareness, than on a punitive sphere”, he concludes.

What does McDonald’s say?

In contact with tiltMcDonald’s press office confirmed that “one of our service providers suffered an incident, which allowed unauthorized access to non-sensitive personal data of some network customers in Brazil”.

According to the company, “appropriate measures were adopted, as well as we communicated to the National Data Protection Authority (ANPD) and the customers possibly impacted”.

Finally, Arcos Dorados, which operates McDonald’s restaurants throughout Latin America, stated that “it repudiates this criminal activity and works continuously to strengthen measures to protect its customers’ personal data. We regret the situation and provide communication channels to clarify any questions from consumers”, he concluded.