Business

'What a mess': McDonald's customers frustrated as 'Hamburglar' hacks more app accounts

The so-called Hamburglar is still at large, infiltrating customers’ McDonald’s app accounts and ordering food on their dime. For some victims, their troubles didn’t end there as they were unhappy with how McDonald’s handled their cases.

Company said incidents are rare and it's 'confident in the security of our app'

Some McDonald's customers are frustrated with the way the company has handled complaints that food they didn't order is showing up on their accounts. (Jacqueline Hansen/CBC)

The so-called Hamburglar is still at large, hacking customers' McDonald's app accounts and ordering food on their dime. For some victims, their troubles didn't end there as they were unhappy with how McDonald's handled their cases.

"What a mess," said Deborah Kelly of Peterborough, Ont. She's unimpressed after the fast-food giant mistakenly blamed mystery charges on her account on a technical glitch, not a fraudster. 

Since February, CBC News has heard from more than 20 people who allege a fraudster somehow infiltrated their McDonald's phone app  — which was linked to their debit or credit card — and ordered meals for pickup. 

In one case in April, more than $2,000 worth of meals was ordered at different McDonald's restaurants in Montreal and all charged to one unsuspecting customer in Toronto.

In April, more than $2,000 worth of meals was charged to a McDonald's app account belonging to Toronto tech writer Patrick O'Rourke. (Bradley Bennett)

In an email to CBC News, McDonald's acknowledged the problem, but said it's rare and that customers' personal information is safe.

"While we are aware that some isolated incidents involving unauthorized transactions have occurred, we remain confident in the security of our app," said McDonald's Canada spokesperson Ryma Boussoufa.

She recommended customers use unique passwords and frequently change them as a precaution. 

'Not handled well'

On Oct. 16, someone used Kelly's app to order $34.87 worth of Chicken McNuggets and burgers for pickup at a McDonald's in Toronto — about 140 kilometres from her home. When she reported the case, a customer service rep assured her it was just a glitch.

"She said, 'The good news is you don't have to report your credit card as compromised,'" Kelly said. "She was really framing it in a really positive way."

Kelly said she spoke with two McDonald's employees who both insisted her account hadn't been compromised. She was also advised to request a refund for the charges from her credit card provider, which she did. 

Deborah Kelly of Peterborough, Ont., was unimpressed when McDonald's revealed that it had mistakenly blamed the unauthorized charges on her McDonald's app on a 'glitch.' (Submitted by Deborah Kelly)

CBC News asked McDonald's why it classified Kelly's case as a "glitch." The company didn't respond, but called Kelly later that same day to apologize and explain that her account had likely been infiltrated by a fraudster.

"They shouldn't have been calling it a glitch," Mike Powers, head of guest relations at McDonald's Canada, told Kelly in a phone call that she recorded.

"It was not handled well," he said. 

Powers also suggested that fraudsters are infiltrating McDonald's app accounts by somehow cracking customers' passwords.

After Kelly discovered the mystery charges, she had changed her app's password as a precaution, but she was surprised to learn from Powers that she should also change other online accounts, which have the same password.

"Because they assured me I hadn't been hacked, that wasn't a measure I took initially," said a disappointed Kelly. "I don't trust anything McDonald's tells me now."

'Kind of baffled'

Jason Wells of Peterborough is also disappointed in how McDonald's addressed his case. On April 12, someone in Saint Laurent, Que., used his app to order $27.11 worth of chicken burgers and poutine. 

He said a customer service rep initially suggested it was some kind of system error.

In a followup email, McDonald's told Wells to contact his bank for a refund, and asked for his e-receipt so it could "investigate this further."

He said the company never followed up with him or offered security advice.

"I was kind of baffled by the entire correspondence with them," said Wells. "It was almost like I was calling some place that, literally, no one had any idea what was going on."

McDonald's declined to comment on Wells's case. 

Last year, CBC News received dozens of complaints from PC Optimum customers that thieves had infiltrated their online accounts and stolen their rewards points. They also complained that the Loblaws rewards program was slow to address their cases. 

Retail consultant Bruce Winder said that as retailers embrace new technologies, they need to not only protect customers, but also offer them good guidance if something goes awry.

"This issue is going to increase in frequency as more and more apps become commonplace and hackers get more sophisticated," said Winder, with the Retail Advisors Network in Toronto.

"The companies that lead the way in terms of how to manage [customers] through these issues — because these issues are going to happen — they'll be the ones who will win in the long term."

Why can't McDonald's issue refunds?

McDonald's app victims have also questioned why the restaurant chain won't directly refund their money. Instead, McDonald's has instructed customers to file a claim with the bank behind the credit or debit card attached to their app — even for incorrect charges caused by a technical glitch.

"If they're able to take your money, they should be able to give it back just as easily," said Lyndsay Bailey of Toronto. She ran into trouble after her bank declined to refund $53.50 worth of meals that were charged to her McDonald's app account in Saint-Lambert, Que., in June. 

Because McDonald's couldn't issue a refund, it sent Bailey $75 worth of prepaid Visa gift cards. 

McDonald's didn't respond to questions from CBC News about app refunds. But in a recent tweet to an inquiring customer, the company stated that the payment information on the McDonald's app isn't stored in its system, which means it can't reverse any charges — only the bank can. 

ABOUT THE AUTHOR

Sophia Harris

Business Reporter

Based in Toronto, Sophia Harris covers consumer and business for CBC News web, radio and TV. She previously worked as a CBC videojournalist in the Maritimes, where she won an Atlantic Journalism Award for her work. Got a story idea? Contact: sophia.harris@cbc.ca