Ontario woman charged $100 worth of McDonald's at Quebec location she's never visited
Published Monday, February 4, 2019 9:48PM EST Last Updated Tuesday, February 5, 2019 8:42AM EST
Patty Duke has never been to Laval, Que., so she was shocked to see nearly $100 worth of McDonald’s meals – burgers and filets-o-fish – charged to her account.
The Ontario woman believes her My McD’s mobile app, which allows customers to order and pay for food through their mobile phone, was hacked.
“I thought it was an error at first because I couldn’t believe that I’d place four separate orders all to the same McDonald’s within minutes of each other,” she said. “It didn’t make a whole lot of sense.”
Duke reported the alleged fraud to her bank, which put her account on hold, and then she got in touch with the McDonald’s head office.
“I spoke to a customer service agent at corporate headquarters in Toronto and he was very apologetic and said, ‘Oh yeah, this has happened before,’” Duke said.
But one week later, the company sent an email to Duke that said it was sure there had been no security breach within its system and suggested that it was her account or email that was compromised.
She is not alone. Similar cases have been reported elsewhere, including in Nova Scotia where a Halifax woman complained on social media after someone ran up $500 in purchases in Montreal using her account.
Although weak passwords may be to blame, Steve Waterhouse, a former information security officer with the department of National Defence, said there are other possibilities.
“If the application is not secured properly – although on the phone – the information can be (extracted) from the phone, and from that point, it will be handed off,” he said.
In a statement to CTV News, McDonald’s said that it takes appropriate measures to keep personal information secure. It recommends not sharing passwords with others, creating unique passwords and changing them often.
Duke’s bank refunded her money, but she thinks McDonald’s should foot the bill and do more to warn the public of any potential vulnerabilities.
“I certainly think they should be making the public aware that there is a problem and that they’ve working on it,” she said. “Shut it down until they can figure out what’s going on.”