Security researchers managed to gain access to the HR platform McHire of the fast food company McDonald's using the password "123456". In this way, up to 64 million data records were accessible. McDonald's blames the contracted service provider. However, if due diligence had been carried out properly, this data leak at McDonald's would not have happened in the first place. What companies should look out for and how Ailance helps to avoid such risks.
How did the data leak at McDonald's come about?
In the USA, McDonald's uses an AI chatbot called Olivia for the application process on its McHire.com platform. Among other things, Olivia collects contact information and CVs and also manages personality tests before inviting candidates to face-to-face interviews. The HR portal is operated by the service provider Paradox.ai, which also developed Olivia.
Security researchers took a closer look at the chatbot and the McHire.com website. First, the security experts tried to gain access to McHire.com as a McDonald's branch. In doing so, they discovered the possibility of logging in as a Paradox employee. As it turned out, this was a serious vulnerability. An outdated admin access was publicly accessible with the password "123456" (identical for username and password) without further two-factor authentication. Using this access, security researchers were able to gain access to sensitive data with little effort. Applicant data access. Up to 64 million data records could be accessed via the API.
The platform processes a variety of personal data, including:
- First and last name
- Phone number
- E-mail address
- Application status
- Personality analysis results
- Full chat history with Olivia
- Any saved attachments (e.g. CV, certificates)
Even though only five real data records were actually viewed and verified by the researchers, the potential damage was enormous. Especially with regard to possible phishing scenarios or identity theft.
Paradox closed the security gap immediately after the security researchers informed the company. In a blog post, Paradox explains how the data leak at McDonald's came about: The "123456" account was set up for testing purposes and should have been removed years ago.
Link tip: Paradox statement on the security incident at McHire.com
Why monitoring service providers is essential: due diligence & monitoring
The data leak at McDonald's shows: The use of AI systems in HR is particularly critical. Application data is some of the most sensitive information of all. If its protection is neglected, even the most modern technology will not help. Especially in the context of AI, "privacy by design" in accordance with Art. 25 GDPR must be implemented - i.e. Data protection through technology design and data protection-friendly default settings. There is also an increasing focus on topics such as AI governance, e.g. through ISO/IEC 42001 or the EU AI Act.
A complex system like McHire with AI support and API access requires continuous monitoring - not just once during the selection process. Responsible persons must therefore:
- Initial due diligence carry out
Review of security standards, password guidelines, MFA and general IT governance. - Establish regular monitoring
Ensure repeated audits, technical inspections and certificate checks. - Document contractual and technical safeguards
So that Responsible persons not be completely unprepared for data protection mishaps like this one.
How Ailance from 2B Advice helps to avoid such risks
With Ailance - Integrated Risk Management, the monitoring and management of service providers can be organized in a systematic, legally compliant and traceable manner:
- Digital due diligence
Structured questionnaires, configurable risk assessment, security checklists - digital, scalable and GDPR-compliant. - Continuous monitoring
Re-audits, automatic reminders, monitoring of certificates and security incidents with early warning mechanisms. - Seamless Documentation
Audit trails and systematic recording of all audits and measures - ideal for internal auditing and external controls. - Risk classification & escalation
Service providers are automatically categorized into risk levels. Critical cases such as the one described here would immediately lead to escalation in Ailance - including defined workflows.
Practical tips: What you can do immediately
✅ Activate multi-factor authentication for all privileged accounts
Check API accesses regularly for vulnerabilities (IDOR, auth problems, etc.)
✅ Check contracts with AI service providers for privacy-by-design requirements
✅ Use Ailance to map due diligence and monitoring in a structured way
After data leak at McDonald's: AI requires more monitoring - not less
The McHire case with the AI chatbot Olivia makes it clear: AI can make processes more efficient, but it can also bring with it massive potential for abuse. Companies that rely on modern tools must actively check and continuously monitor their service providers.
Ailance from 2B Advice offers the right platform for this. With the right due diligence, you can prevent a single weak password from putting millions of sensitive data at risk.
Curious?
Let us show you how Ailance professionalizes your service provider monitoring. Arrange your personal demo appointment directly.
German 
English 
Italian 
French