A bug in the McDonald’s Monopoly VIP game in the United Kingdom caused the login names and passwords for the game’s database to be sent to all winners.
Niamh Muldoon , Senior Director of Trust and Security EMEA
InfoSec Expert
September 8, 2021 3:27 pm
<p>Many still believe that security is a technology problem. Once they apply the technology controls they tend to believe that they no longer are open to threats. \"There is no one single bullet – Defence in Depth is the key\". Organisations should apply controls to technologies, make sure security is included in business processes, and ensure the organisation has a good security culture. Applying a Defence in Depth (DiD) model to security within your organisation, with security controls in place within technologies, business processes and culture will begin to support reducing. Don\’t underestimate the value of security awareness programmes for keeping your employees conscious. Identity and access management is a key control that protects data and/or systems. Organizations that have been successful in security culture change have utilised their identity and access management as a strategy to drive this cultural shift. Logging on and accessing systems/data is the one security control we all do no matter what role you have in your organization, don’t underestimate its ability to keep us all conscious to operate with a security mindset.</p>
<p>The Mcdonald\’s issue appears to be due to poor error handling.</p>
<p>Error handling is discussed in both development and cyber security, but to be honest, it is not taken as seriously as it should be. This is due to the majority of error messages not causing a significant information leakage.. but not in this case!</p>
<p>Here, a database of passwords and connection strings was disclosed. Assuming the database is well protected from the public internet, this does not pose a critical and immediate risk, but as a mistake, it is a little more embarrassing. It is assumed that database passwords etc were immediately changed after the error was discovered. Deployment security and error handling were both keys in this situation.</p>
<p>Cybersecurity is about resilience and layers of protection. Something internal (as in this case) may be disclosed, but if it\’s not accessible on the public internet the disclosure may not be as bad as it looks.</p>
<p>Many still believe that security is a technology problem. Once they apply the technology controls they tend to believe that they no longer are open to threats. \"There is no one single bullet – Defence in Depth is the key\". Organisations should apply controls to technologies, make sure security is included in business processes, and ensure the organisation has a good security culture. Applying a Defence in Depth (DiD) model to security within your organisation, with security controls in place within technologies, business processes and culture will begin to support reducing. Don\’t underestimate the value of security awareness programmes for keeping your employees conscious. Identity and access management is a key control that protects data and/or systems. Organizations that have been successful in security culture change have utilised their identity and access management as a strategy to drive this cultural shift. Logging on and accessing systems/data is the one security control we all do no matter what role you have in your organization, don’t underestimate its ability to keep us all conscious to operate with a security mindset.</p>
<p>The Mcdonald\’s issue appears to be due to poor error handling.</p>
<p>Error handling is discussed in both development and cyber security, but to be honest, it is not taken as seriously as it should be. This is due to the majority of error messages not causing a significant information leakage.. but not in this case!</p>
<p>Here, a database of passwords and connection strings was disclosed. Assuming the database is well protected from the public internet, this does not pose a critical and immediate risk, but as a mistake, it is a little more embarrassing. It is assumed that database passwords etc were immediately changed after the error was discovered. Deployment security and error handling were both keys in this situation.</p>
<p>Cybersecurity is about resilience and layers of protection. Something internal (as in this case) may be disclosed, but if it\’s not accessible on the public internet the disclosure may not be as bad as it looks.</p>