Personal information of McDonald’s job applicants exposed online

10 hours ago 5

Thousands of Australian prospective McDonald’s workers have had their personal information exposed online due to a security vulnerability in an AI chatbot used by the fast-food giant.

The chatbot, “Olivia”, handles job applications for McDonald’s franchisees globally, including in Australia, screening candidates and asking for information including their resumes and contact information, then conducting a personality test.

McDonald’s Australia hires more than 11,000 workers every year and is one of the nation’s largest employers, with more than 100,000 employees across its restaurants and management offices.

McDonald’s Australia hires more than 11,000 workers every year and is one of the nation’s largest employers, with more than 100,000 employees across its restaurants and management offices.Credit: Eamon Gallagher

Olivia, built by US-based software firm Paradox, suffered from poor security, however, with researchers last week able to access the chatbot’s 64 million chat records using the username and password, “123456”.

The security researchers, Ian Carroll and Sam Curry, verified that the chat records were legitimate and included applicants’ names, email addresses and phone numbers.

Their research was first reported by US tech news publication Wired. When The Age and The Sydney Morning Herald applied for a job at McDonald’s, Olivia sought a 60-second video, asking why we wanted to work at McDonald’s, as well as our email address and phone information.

Olivia also asks candidates whether several personal traits are “me” or “not me”, including “open to feedback”, “traditional”, “calm in the storm”, and “do it yourself”.

A screenshot of the McDonald’s Australia chatbot Olivia.

A screenshot of the McDonald’s Australia chatbot Olivia.Credit: Nine

“I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that’s what made me want to look into it more,” security researcher Ian Carroll told Wired. “So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that’s ever been made to McDonald’s going back years.”

McDonald’s Australia hires more than 11,000 workers every year and is one of the nation’s largest employers, with more than 100,000 employees across its restaurants and management offices. According to McDonald’s, more than 5 per cent of the Australian population has at some point worked for the golden arches.

“We’re disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai,” a McDonald’s Australia spokeswoman said.

Loading

“As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us.

“We take our commitment to cybersecurity seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection.”

A spokesman for Paradox.ai said the applicants’ personal information had not been accessed by any third party other than the security researchers, and that the personal information of five US-based applicants had been accessed before the researchers notified the company.

“We take responsibility for this issue. Full stop. Our clients and their candidates place their trust in us, and we are committed to maintaining that trust,” the spokesman said.

“We also want to thank the researchers for responsibly disclosing the issue, which allowed us to fix it quickly.”

CyberCX’s Katherine Mansted called the security fail “gob-smacking”.

CyberCX’s Katherine Mansted called the security fail “gob-smacking”.

Katherine Mansted is executive director of cyber intelligence at CyberCX, Australia’s largest cybersecurity company.

She said that in the “gold rush” to implement new AI technology, basic security steps were often forgotten.

“This is a case where the security fail is really basic, it’s gob-smacking,” she said. “That in this day and age, a generic password was being used on a system processing personal information on a portal that had no multifactor authentication ... It’s a major security fail.

Loading

“Transparency is the most important thing, and it does seem that we’ve had that here with a frank and quick acknowledgement of what’s gone wrong, and an investigation to understand what the harm is as well.

“The other point that can’t be emphasised enough is that if you outsource a technology solution to a third party, you need to own the security of that solution, and you need to own the risk if something goes wrong.”

The Business Briefing newsletter delivers major stories, exclusive coverage and expert opinion. Sign up to get it every weekday morning.

Most Viewed in Technology

Loading

Read Entire Article
Koran | News | Luar negri | Bisnis Finansial