McDonald's AI Hiring Bot Exposes Millions of Applicants' Data Due to Security Flaw

Thumbnail Image

The information displayed in the AIM should not be reported as representing the official views of the OECD or of its member countries.

A critical security vulnerability in McDonald's AI-powered hiring platform, McHire, allowed unauthorized access to the personal data of over 64 million job applicants. The flaw, discovered by security researchers, stemmed from weak backend credentials, exposing sensitive information collected by the AI chatbot Olivia.[AI generated]

Why's our monitor labelling this an incident or hazard?

The AI system (AI-powered recruiting chatbot) was used in the hiring process and collected sensitive personal data. The security flaw (weak password) allowed unauthorized access to this data, directly leading to a breach of privacy and potential harm to millions of individuals. The harm includes violations of personal data protection rights and risks of identity theft and fraud, which fall under violations of human rights and harm to individuals. The AI system's involvement in data collection and storage is central to the incident. Hence, this qualifies as an AI Incident rather than a hazard or complementary information.[AI generated]
AI principles
Privacy & data governanceRobustness & digital securityAccountabilityRespect of human rights

Industries
Business processes and support services

Affected stakeholders
Consumers

Harm types
Human or fundamental rights

Severity
AI incident

Business function:
Human resource management

AI system task:
Interaction support/chatbots

In other databases

Articles about this incident or hazard