Last week, news broke that a major security lapse in McDonald's AI-powered hiring system exposed personal data of 64 million job applicants, highlighting dangerous vulnerabilities as companies rapidly integrate artificial intelligence without adequate safeguards.
Security researchers accessed the entire McDonald's McHire platform in just 30 minutes using the password "123456". It’s what cybersecurity experts are calling an embarrassing example of how rushed AI deployments are creating new attack vectors. The breach allowed unauthorized access to years of applicant data including names, email addresses, phone numbers and complete chat logs with the AI hiring bot called "Olivia."
Kobi Nissan, co-founder and CEO of data privacy firm MineOS, said it best: “This incident is a reminder that when companies rush to deploy AI in customer-facing workflows without proper oversight, they expose themselves and millions of users to unnecessary risk."
Growing AI Risks in Canadian Workplaces
The McDonald's incident comes as Canadian organizations face mounting cybersecurity challenges linked to rapid AI adoption across most industries.
According to recent Gallup research, AI use at work has nearly doubled in two years, with one-in-five of employees now using AI frequently. In Canada, 46 per cent of Canadian workers have adopted generative AI, up from 22 per cent in 2023, according to KPMG Canada's latest Generative AI Adoption Index, with the greatest uptake in information and cultural industries.
A recent report out of the UK found that nearly half of UK employees admit to using AI tools that haven’t been vetted by IT - what’s now known as shadow AI. These unauthorized tools can unintentionally leak data or bypass corporate security controls.
And it’s not just employees behaving badly. AI-driven workforce realignment is reshaping enterprise structures. Microsoft, for instance, laid off around 15,000 employees over the past year, while publicly citing more than $500 million in AI efficiency gains. This shift sends a clear message: AI isn't just enhancing jobs – it’s replacing them.
The rapid integration creates what cybersecurity experts call an expanded "attack surface" - each new AI implementation potentially offering cybercriminals another entry point. With McDonald’s, AI adoption proved a double-edged sword as speed and convenience came at the cost of expanded vulnerability and diminished oversight.
The Missing Piece: A Cyber Crisis Plan
Despite the proliferation of AI risk, most firms are still unprepared when an incident strikes. A recent Business Development Bank of Canada survey showed that while 73% of small businesses have experienced a cybersecurity incident, only 11% have a formal incident response plan in place – and less than one in three have ever tested it.
That’s particularly troubling when reputational damage can often outweigh technical impact.
Actions to Take Now
Communications leaders need to be ahead of this. As AI reshapes not just how companies interact with customers but how they operate as a business, preparing for a potential AI-driven breach is now non-negotiable. To get started:
Build and Maintain a Cyber Crisis Communications Playbook
Build a formal response structure and cross-functional response team. Prepare templated statements – internal briefings, public holding statements, customer FAQs – and ensure rapid approval processes in case of an issue. Cross-functional integration with IT and legal is critical to maintaining message accuracy under pressure.
Conduct Realistic Tabletop Simulations
Simulate a breach scenario - ideally based on real events like the McDonald’s hirebot hack - to test operational roles and response coordination. These exercises reveal vulnerabilities and help spokespeople speak with clarity and confidence.
Audit and Secure AI-Driven Customer Interfaces
Identify all AI touchpoints - chatbots, hiring portals, support bots and automation scripts. Collaborate with security teams to enforce authentication, data encryption and monitoring. Communications should establish escalation points and messaging protocols in case of API leaks or credential compromises.
The McDonald’s hiringbot breach is a wakeup call: Yes, AI presents huge opportunities for businesses. But without robust oversight, risk is growing with each new AI-enhanced interaction.
Prevention is best – but even the most proactive business can and will fail. So preparation is critical. Companies that prepare by integrating cybersecurity with PR, legal, IT and senior leadership stand the best chance of protecting what truly matters - trust.
Sign Up for Our Cybersecurity Crisis Response Webinar
Interested in finding out more? Tune into our cyber preparedness webinar on July 31st where we’ll share best practices and guidance based on some of our recent cyber work. Register here.
