When Basics Break: How Simple Security Failures Cripple Big Brands

A password of "123456" in 2025, supposedly protecting 64 million people's personal information. McDonald's just handed every UK SMB a masterclass in how vendor incompetence destroys lives.

Some security researchers got curious about Mickey Dee's dystopian AI hiring bot, spent 30 minutes guessing obvious passwords, and suddenly had access to every job application ever submitted to the Golden Arches. We're talking names, phone numbers, chat logs, the works.

While McDonald's and their AI vendor Paradox.ai play hot potato with blame, 64 million desperate job seekers discover their data was protected by supersized digital tissue paper.

This isn't just another data breach story. This is a textbook case of what happens when you bolt on shiny AI features but forget the basics, and it follows exactly the same pattern that cost M&S £300 million and exposed 20 million Co-op customer records just months ago.

The Password That Broke the Internet

Security researchers Ian Carroll and Sam Curry found the admin login page for McDonald's AI hiring system, tried "123456" as the password, and they were in. No multi-factor authentication, no proper access controls, and to top it off, there was an IDOR (Insecure Direct Object Reference) vulnerability.

That's where you can just change a number in the URL and see someone else's data. It's the sort of thing we warn about in first-year computer science, never mind in production systems handling millions of records.

Let me put this in perspective: McDonald's, a company with over 40,000 restaurants worldwide and revenues exceeding $23 billion annually, protected their global hiring database with a password that wouldn't secure a child's tablet. The same corporation that can track every pickle and french fry across their supply chain apparently can't manage basic authentication on systems containing millions of job applications.

The AI angle makes it even more infuriating. Everyone's so keen to automate hiring with clever chatbots and algorithmic screening, but they forget that if you don't lock the back door, it doesn't matter how clever your AI is. It's the old "move fast and break things" mindset, but now it's people's personal data on the line.

The Vendor Blame Game Olympics

Paradox.ai, the vendor behind this catastrophe, claimed the compromised account was a "dormant test account from 2019." But if it's still live and accessible in 2025, that's not "dormant," that's just bloody lazy system administration.

Here's the thing about vendors: they'll promise you the moon during sales calls, then leave test accounts with default passwords running in production for six years. And when researchers expose their incompetence, they fix it quietly and launch a bug bounty program, as if that's going to fix the culture.

This mirrors exactly what we saw in our recent podcast discussion about the DragonForce attacks on M&S and Co-op. Different attack vector, same fundamental problem: vendors who treat security as an afterthought and clients who don't verify their competence.

The M&S and Co-op Connection: Same Disease, Different Symptoms

Just months ago, we watched M&S lose £300 million and Co-op expose 20 million customer records, all because help desk staff at Tata Consultancy Services reset passwords for criminals who sounded convincing on the phone. As I detailed in my analysis of the parliamentary hearing, this wasn't sophisticated malware or nation-state actors. It was basic social engineering exploiting fundamental process failures.

The pattern is identical:

• Major brand trusts vendor with critical systems

• Vendor implements embarrassingly weak security controls

• Criminals exploit basic vulnerabilities that shouldn't exist

• Millions of customers pay the price

• Everyone acts shocked and promises to do better

M&S Chairman Archie Norman told MPs the attack was "traumatic" and that "everybody at M&S experienced it." But the trauma was entirely preventable if they'd demanded their vendor implement basic call-back verification procedures.

McDonald's customers are about to experience the same trauma because nobody at McDonald's or Paradox.ai thought to implement authentication stronger than "123456."

The Human Cost of Corporate Negligence

Let's talk about what this actually means for real people. Those 64 million job applications represent desperate people seeking employment, often in difficult economic circumstances. They trusted McDonald's with:

• Full names and contact details

• Employment histories and references

• Personal circumstances and availability

• Chat logs with AI systems containing sensitive information

Now criminals have access to a treasure trove of personal data perfect for targeted phishing, employment fraud, and identity theft. Someone applying for a minimum-wage job at McDonald's shouldn't have to worry about their personal information being sold on criminal forums because the company couldn't secure a database with a proper password.

The research shows that data from job applications is particularly valuable to criminals because it contains verified personal information from people actively seeking employment. This makes victims more susceptible to fake job offer scams and employment-related fraud.

The AI Security Delusion

The McDonald's breach perfectly illustrates the dangerous delusion that AI somehow equals security. Companies rush to deploy chatbots and algorithmic hiring tools to appear innovative, but they skip foundational security checks because they assume smart technology means secure technology.

I've seen this everywhere: vendors promoting AI-powered solutions with sophisticated natural language processing and machine learning capabilities, while their admin panels are secured with passwords that wouldn't protect a social media account.

As Dr. Sarah Chen noted in our podcast discussion, there's this assumption that if the AI is clever, the system must be secure. But the evidence says otherwise. We're seeing security failures across the AI vendor ecosystem because companies prioritize functionality over protection.

The rush to automate hiring with AI has created a perfect storm: sensitive personal data from vulnerable job seekers, processed by systems with marketing-driven development cycles, secured by vendors who treat cybersecurity as a compliance checkbox rather than a business imperative.

Why This Keeps Happening: The Vendor Risk Reality

The uncomfortable truth is that vendor risk management in most organizations is theatre. Companies sign contracts with liability clauses they never intend to enforce, conduct security assessments they don't understand, and trust vendors with business-critical systems they can't monitor.

Here's what actually happens during most vendor security reviews:

• Vendor provides a security questionnaire filled with marketing language

• Client's procurement team checks boxes without understanding technical implications

• Legal team negotiates liability clauses that sound impressive but prove worthless during breaches

• IT team integrates vendor systems without proper security validation

• Everyone assumes someone else verified the vendor's competence

When McDonald's selected Paradox.ai for their hiring platform, did anyone actually test whether admin accounts used secure passwords? Did anyone verify that test systems were properly decommissioned? Did anyone check for basic vulnerabilities like IDOR flaws?

Based on the evidence, the answer is clearly no.

The Pattern We Must Break

McDonald's, M&S, Co-op, AT&T, Change Healthcare, 23andMe: different industries, different attack vectors, identical root cause. Organizations outsource critical functions to vendors without ensuring those vendors can actually secure the systems they're providing.

The attackers aren't getting more sophisticated. They're getting more efficient at exploiting the same basic failures that have plagued the industry for decades:

• Weak authentication: Passwords like "123456" or easily bypassed help desk procedures

• Poor access controls: Admin panels accessible without proper verification

• Insecure development: IDOR vulnerabilities and test accounts left in production

• Vendor accountability gaps: Blame-shifting when inevitably discovered

Every one of these failures was preventable using security controls available in 2015, never mind 2025.

What This Means for Your Business

If you're running a UK SME and thinking "well, that's McDonald's problem," you're missing the point entirely. The same vendors who failed McDonald's are probably bidding for your contracts right now. The same security gaps that cost M&S £300 million exist in systems you depend on every day.

Ask yourself:

• Do you know what passwords your vendors use for admin access to your data?

• Have you tested your vendors' security controls, or just reviewed their marketing materials?

• Do you have contractual mechanisms to force vendors to fix security failures?

• Can you monitor vendor access to your systems and data?

Most UK SMBs can't answer these questions because they assume vendor selection is primarily about features and price. Security gets relegated to a checkbox exercise that satisfies procurement requirements but provides no actual protection.

The Solution Nobody Wants to Hear

Preventing these disasters requires fundamental changes to how businesses approach vendor relationships:

Security-First Vendor Selection: Don't just ask if vendors have ISO certifications. Test their security controls. Try basic password attacks. Check for common vulnerabilities. If they can't demonstrate basic competence, find vendors who can.

Continuous Vendor Monitoring: Security isn't a one-time assessment. Vendors' security postures change, new vulnerabilities emerge, and systems evolve. Regular testing and monitoring should be contractual requirements, not optional extras.

Meaningful Liability Transfer: Force vendors to accept financial responsibility for security failures that impact your operations. If they're not willing to stand behind their cybersecurity promises, find vendors who will.

Internal Capability Building: Stop relying entirely on vendor security claims. Develop internal capability to assess, monitor, and validate vendor security controls. This doesn't require massive investment, just competent professionals who understand the basics.

The Basics Still Work (When Actually Implemented)

The most frustrating aspect of the McDonald's breach is how easily preventable it was. Strong passwords, multi-factor authentication, proper access controls, and secure development practices would have stopped this attack completely.

These aren't cutting-edge security technologies requiring massive investment. They're fundamental controls that should be standard in any system handling personal data:

• Proper authentication: No shared passwords, mandatory MFA for admin access, regular credential rotation

• Access controls: Principle of least privilege, proper session management, audit logging

• Secure development: Input validation, proper testing, systematic vulnerability assessment

• Lifecycle management: Proper decommissioning of test systems, regular security reviews

The technology exists, the best practices are well-documented, and the implementation costs are negligible compared to breach consequences. The only missing ingredient is organizational commitment to actually implementing these controls.

The Bottom Line: Stop Pretending This Is Hard

McDonald's just proved that a company with unlimited resources and global reach can't implement basic password security on systems containing 64 million records. M&S and Co-op proved that billion-pound retailers can be destroyed by phone calls to poorly trained help desk staff.

These aren't sophisticated nation-state attacks requiring military-grade defenses. They're basic competence failures that destroy businesses because leaders prioritize shiny features over fundamental security.

The criminals targeting UK businesses aren't laughing because they're technically superior. They're laughing because we keep making the same elementary mistakes while acting surprised when they exploit our incompetence.

Your choice is simple: implement basic security controls now, or become next month's cautionary tale about how "nobody could have predicted" that vendors using "123456" as passwords might get breached.

The basics work. They're proven, affordable, and available to every business regardless of size or budget. The only question is whether you'll implement them before or after criminals demonstrate why they matter.