McDonald’s hat trick of the week: three cases involving insider breaches make the media

It looks like McDonald’s made a media hat trick this week in terms of dishonest employees and card fraud or ID theft. First, employees in Illinois and  Washington were caught skimming customers’ debit and credit cards, and now Dave Gibson reports on a case from Georgia:

On Wednesday, Eva Ramos, 36, a former McDonald’s restaurant manager, was sentenced in U.S. District Court to 32 months in federal prison for her role in an ID theft scheme.

Ramos pleaded guilty to selling the identities of U.S. citizens to illegal aliens employed in McDonald’s restaurants throughout the Savannah area.


Skimming customers’ cards? Selling and using others’ identities to work at McDonald’s? What’s going on here?

I’m sure McDonald’s has many honest employees, but that’s at least the sixth report of employee-related fraud involving McDonald’s this year.  In addition to the three incidents mentioned above, another young employee was accused of skimming hundreds of customers’ cards at a drive-thru window in Monticello, Minnesota this summer. After that breach, a corporate spokesperson said:

Nothing is more important to us than the security of our customers. This is an isolated incident which we take very seriously. Please be assured that this is not reflective of the values of our employees.

But how isolated is it, really, when at about the same time, hundreds of other customers had their cards skimmed at a drive-thru window at Norfolk (Virginia) Naval Station? Or you find an elaborate credit card fraud ring operating out of Mandeville, Lousiana that also obtained customer’s card numbers at the drive-thru window? Or you have two new reports within this past week alone after another drive-thru window skimming report from Michigan last month?

McDonald’s has a lot of stores – many more than Burger King.  By chance, then, one would expect more incidents at McD’s than Burger King, but when you do not see any reports of insider breaches involving Burger King, and six involving McDonald’s insiders, well…. you do the math.

The hospitality sector continues to be the single biggest sector for breaches relating to card fraud or misuse, with some studies suggesting they compromise 23 – 40% of all card-related breaches. McDonald’s is clearly not the only fast-food operation experiencing breaches involving customer card data.  A chain of 23 Burger King franchises owned by Liberty Restaurant Group and six stores owned by EDN in Georgia had multiple stores compromised in what appears to be  POS-related compromises. In contrast, I’ve seen no reports of POS hacks involving McDonald’s databases containing credit or debit card info.  So if they are getting security right on their electronic databases, why so many incidents of  young employees skimming cards at drive-thru windows? They need to get employee security right, too.

I asked McDonald’s for a statement about the reports of insider breaches, and they sent this statement:

Rest assured we take matters re: safety and security extremely seriously.

We have cooperated fully with the authorities in their investigation of these crimes.

McDonald’s and our franchisees will not tolerate this type of behavior.”

Well, okay. But what is McDonald’s doing or going to do differently to prevent these employee-related breaches?

[Small update/correction to add Michigan breach]

About the author: Dissent