Data leak at McDonald's and the AI company Paradox commissioned for recruitment
McDonald's uses an AI chatbot for recruitment interviews, but data collected in the process was hardly protected. Security researchers found it easy to access.
McDonald's Drive-In.
(Image: Shutterstock/rzoze19)
McDonald's is offering its branches an AI chatbot called Olivia to speed up the process of hiring new employees. This chatbot not only annoys many applicants with strange questions, but also collects a lot of personal data. However, the AI company Paradox commissioned to do this apparently did not have a good understanding of data protection. Security researchers were able to gain access to the data of up to 64 million applicants relatively easily. Paradox reacted immediately and quickly closed the security gap.
Artificial intelligence (AI) is also no longer a foreign concept at the large fast food chain. In March, it was reported that McDonald's was equipping its branches with AI functions. And the individual restaurants can also use AI in the recruitment process. The head office provides "McHire", a platform with the AI chatbot Olivia developed by Paradox. Anyone applying for a job at a McDonald's branch will in many cases speak to Olivia first.
AI chatbot safe, but not the system
The AI chatbot first asks applicants for contact information and a CV before carrying out a personality test. A number of interested parties have already reported frustrating experiences with Olivia on Reddit, which made security researchers sit up and take notice. They initially tested the AI chatbot for possible security problems, but were unable to identify any direct points of attack through manipulated requests to the language model.
The security researchers then tried to log in to McHire.com as a McDonald's branch in order to gain access to the backend. They found an ominous login option for Paradox employees that was barely protected. There was no multi-factor authentication and "123456" was accepted as the password, the security researchers write in their own blog. This gave them administrator access to a test restaurant within McHire and allowed them to access employee and applicant data at the same time.
Videos by heise
Access to millions of applicant data
This made it possible to query any applicant. If the applicant ID, which was above 64 million, was changed manually, further applications including contact information and even the corresponding chat logs could be retrieved. For data protection reasons, the security researchers only retrieved a handful of applications and the associated data, but spot checks confirmed that these were real people. This meant that 64 million job applicants or even more were theoretically available.
Attackers could use this data to carry out phishing attacks and, for example, obtain account information by posing as McDonald's employees who request more data before actually hiring. After all, jobs at McDonald's are minimum wage jobs, so it can be assumed that many applicants are relatively desperate before approaching McDonald's.
McDonald's refers to Paradox, AI company reacts quickly
Paradox closed the security gap immediately after the AI company was informed about it by the security researchers. In its own blog, Paradox explains that it was a login option for test purposes that should have been removed years ago. However, the test access was not used by third parties and no personal data was tapped before this access was now closed.
McDonald's itself referred to Paradox as the partner responsible for this to Wired. "We are disappointed about this unacceptable security vulnerability with a third-party provider, Paradox.ai," the fast food chain said. "As soon as we became aware of the issue, we asked Paradox.ai to fix the problem immediately. The issue was fixed the same day it was reported to us."
(fds)
