'What a mess': McDonald's customers frustrated as 'Hamburglar' hacks more app accounts
Company said incidents are rare and it's 'confident in the security of our app'
The so-called Hamburglar is still at large, hacking customers' McDonald's app accounts and ordering food on their dime. For some victims, their troubles didn't end there as they were unhappy with how McDonald's handled their cases.
"What a mess," said Deborah Kelly of Peterborough, Ont. She's unimpressed after the fast-food giant mistakenly blamed mystery charges on her account on a technical glitch, not a fraudster.
Since February, CBC News has heard from more than 20 people who allege a fraudster somehow infiltrated their McDonald's phone app — which was linked to their debit or credit card — and ordered meals for pickup.
In one case in April, more than $2,000 worth of meals was ordered at different McDonald's restaurants in Montreal and all charged to one unsuspecting customer in Toronto.
In an email to CBC News, McDonald's acknowledged the problem, but said it's rare and that customers' personal information is safe.
"While we are aware that some isolated incidents involving unauthorized transactions have occurred, we remain confident in the security of our app," said McDonald's Canada spokesperson Ryma Boussoufa.
She recommended customers use unique passwords and frequently change them as a precaution.
'Not handled well'
On Oct. 16, someone used Kelly's app to order $34.87 worth of Chicken McNuggets and burgers for pickup at a McDonald's in Toronto — about 140 kilometres from her home. When she reported the case, a customer service rep assured her it was just a glitch.
"She said, 'The good news is you don't have to report your credit card as compromised,'" Kelly said. "She was really framing it in a really positive way."
Kelly said she spoke with two McDonald's employees who both insisted her account hadn't been compromised. She was also advised to request a refund for the charges from her credit card provider, which she did.
CBC News asked McDonald's why it classified Kelly's case as a "glitch." The company didn't respond, but called Kelly later that same day to apologize and explain that her account had likely been infiltrated by a fraudster.
"They shouldn't have been calling it a glitch," Mike Powers, head of guest relations at McDonald's Canada, told Kelly in a phone call that she recorded.
"It was not handled well," he said.
Powers also suggested that fraudsters are infiltrating McDonald's app accounts by somehow cracking customers' passwords.
After Kelly discovered the mystery charges, she had changed her app's password as a precaution, but she was surprised to learn from Powers that she should also change other online accounts, which have the same password.
"Because they assured me I hadn't been hacked, that wasn't a measure I took initially," said a disappointed Kelly. "I don't trust anything McDonald's tells me now."
'Kind of baffled'
Jason Wells of Peterborough is also disappointed in how McDonald's addressed his case. On April 12, someone in Saint Laurent, Que., used his app to order $27.11 worth of chicken burgers and poutine.
He said a customer service rep initially suggested it was some kind of system error.
In a followup email, McDonald's told Wells to contact his bank for a refund, and asked for his e-receipt so it could "investigate this further."
He said the company never followed up with him or offered security advice.
"I was kind of baffled by the entire correspondence with them," said Wells. "It was almost like I was calling some place that, literally, no one had any idea what was going on."
McDonald's declined to comment on Wells's case.
<a href="https://twitter.com/McDonaldsCanada?ref_src=twsrc%5Etfw">@McDonaldsCanada</a> so not impressed with the security of your APP! Was just hacked and the hacker was able to make purchases of almost $100 and I can’t get into my account to delete my payment info or change my password! 😡😡😡😡😡😡😡
—@Shan_104
<a href="https://twitter.com/McDonalds?ref_src=twsrc%5Etfw">@McDonalds</a> <a href="https://twitter.com/McDonaldsCanada?ref_src=twsrc%5Etfw">@McDonaldsCanada</a> Woke up today to see a $25 charge on my app from Quebec. I'm in Winnipeg. I'm now the third person I know of that this has happened to.
—@im_FFBF00
Last year, CBC News received dozens of complaints from PC Optimum customers that thieves had infiltrated their online accounts and stolen their rewards points. They also complained that the Loblaws rewards program was slow to address their cases.
Retail consultant Bruce Winder said that as retailers embrace new technologies, they need to not only protect customers, but also offer them good guidance if something goes awry.
"This issue is going to increase in frequency as more and more apps become commonplace and hackers get more sophisticated," said Winder, with the Retail Advisors Network in Toronto.
"The companies that lead the way in terms of how to manage [customers] through these issues — because these issues are going to happen — they'll be the ones who will win in the long term."
Why can't McDonald's issue refunds?
McDonald's app victims have also questioned why the restaurant chain won't directly refund their money. Instead, McDonald's has instructed customers to file a claim with the bank behind the credit or debit card attached to their app — even for incorrect charges caused by a technical glitch.
"If they're able to take your money, they should be able to give it back just as easily," said Lyndsay Bailey of Toronto. She ran into trouble after her bank declined to refund $53.50 worth of meals that were charged to her McDonald's app account in Saint-Lambert, Que., in June.
Because McDonald's couldn't issue a refund, it sent Bailey $75 worth of prepaid Visa gift cards.
McDonald's didn't respond to questions from CBC News about app refunds. But in a recent tweet to an inquiring customer, the company stated that the payment information on the McDonald's app isn't stored in its system, which means it can't reverse any charges — only the bank can.
The payment information on the app is not stored in our system. Our system holds a unique token with your payment provider, which allows purchases via the app. This token doesn't work both ways and we're unable to reverse charges. Only the payment provider can reverse a charge.
—@McDonaldsCanada