Wednesday, August 2, 2023

Burger King, Data Breach, French Style

As some of you may be aware of, Burger King experienced another data breach , and it is slightly different from the 2019 event. As before, personal data was exposed due to misconfiguration of their website: specifically in the Jun 2023 incident the passwords for databases and other services were stored in a publicly accessible text file. This would not be that interesting if the incident took place in their US location, where personal data of children was also exposed (Like Panera, which uses palm scanning, Burger King nudged children to enter their info so it was more convenient to order their favourite items and parents to pay without needing to have to go to the cashier), having its customers mysteriously receive emails with blank receipts, or that one of these services whose authentication info was stored in that configuration file was also our old friend Google Analytics would be forgotten in a few weeks.

What makes the special sauce special is this is happened in France, which means it is under the jurisdiction of the GDPR. Data breach investigations under those regulations are rather different than those under US laws. If the American-based multinational cannot prove it has done due diligence regarding how it protects the personal data of its customers and current/future employees, they should at least expect heavy fines: according to GDPR Art. 83(5), severe violations can cost up to 4% of Burger Kings total global revenue, which in 2021 was US$ 1.81 billion. Given the authentication was stored in plain text and children data (which may have been collected in violation of GDPR Art 8, and falls under Recital 38) is at risk, the fast food giant should not expect the French Data Privacy Authority (Commission Nationale de l'Informatique et des Libert├ęs, or CNIL) to be as lenient towards American companies as the Irish one.

This is a very new case -- announced today in the news -- and we have no idea when Burger King reported to the CNIL (per GDPR Art. 33 they must report within 72h of learning of the incident), so we will have to wait to see how it will develop; expect the case to take at least months before the CNIL deliberates and issues fines.