Experts Reaction On McDonald’s Leaks Password for Monopoly VIP Database

A bug in the McDonald’s Monopoly VIP game in the United Kingdom caused the login names and passwords for the game’s database to be sent to all winners. 

Experts Comments

September 08, 2021
Niamh Muldoon
Senior Director of Trust and Security EMEA
OneLogin

Many still believe that security is a technology problem. Once they apply the technology controls they tend to believe that they no longer are open to threats. "There is no one single bullet - Defence in Depth is the key". Organisations should apply controls to technologies, make sure security is included in business processes, and ensure the organisation has a good security culture. Applying a Defence in Depth (DiD) model to security within your organisation, with security controls in place

.....Read More

Many still believe that security is a technology problem. Once they apply the technology controls they tend to believe that they no longer are open to threats. "There is no one single bullet - Defence in Depth is the key". Organisations should apply controls to technologies, make sure security is included in business processes, and ensure the organisation has a good security culture. Applying a Defence in Depth (DiD) model to security within your organisation, with security controls in place within technologies, business processes and culture will begin to support reducing. Don't underestimate the value of security awareness programmes for keeping your employees conscious.  Identity and access management is a key control that protects data and/or systems. Organizations that have been successful in security culture change have utilised their identity and access management as a strategy to drive this cultural shift.  Logging on and accessing systems/data is the one security control we all do no matter what role you have in your organization, don’t underestimate its ability to keep us all conscious to operate with a security mindset.

  Read Less
September 08, 2021
Eoin Keary
CEO and Cofounder
Edgescan

The Mcdonald's issue appears to be due to poor error handling.

Error handling is discussed in both development and cyber security, but to be honest, it is not taken as seriously as it should be. This is due to the majority of error messages not causing a significant information leakage.. but not in this case!

Here, a database of passwords and connection strings was disclosed. Assuming the database is well protected from the public internet, this does not pose a critical and immediate risk, but

.....Read More

The Mcdonald's issue appears to be due to poor error handling.

Error handling is discussed in both development and cyber security, but to be honest, it is not taken as seriously as it should be. This is due to the majority of error messages not causing a significant information leakage.. but not in this case!

Here, a database of passwords and connection strings was disclosed. Assuming the database is well protected from the public internet, this does not pose a critical and immediate risk, but as a mistake, it is a little more embarrassing. It is assumed that database passwords etc were immediately changed after the error was discovered. Deployment security and error handling were both keys in this situation.

Cybersecurity is about resilience and layers of protection. Something internal  (as in this case) may be disclosed, but if it's not accessible on the public internet the disclosure may not be as bad as it looks.

  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.