McDonald's
Incidents involved as both Developer and Deployer
Incident 11792 Report
McDonald's McHire AI Recruitment Platform Reportedly Exposed Data of 64 Million Applicants via Default Login and API Vulnerability
2025-06-30
Researchers Ian Carroll and Sam Curry reported that McDonald's AI-powered hiring tool, McHire (using Paradox.ai's "Olivia" chatbot), could purportedly be accessed via default admin credentials and an insecure direct object reference in an internal API. The flaws allegedly allowed viewing of applicants' personally identifiable information and chat histories. McDonald's and Paradox reportedly patched the issues within a day of disclosure; Paradox stated only five records were accessed.
MoreIncident 5491 Report
Fast Food Chains' AI Chatbots Failed to Assist Job Applicants with Scheduling Interviews
2023-01-05
McDonald's, Wendy's, and Hardee's AI chatbots deployed to pre-screen job candidates and schedule interviews reportedly ran into issues such as not giving useful submission instructions, failing to relay information to the manager, and scheduling an interview when the manager was not available.
MoreIncidents involved as Deployer
Incident 4756 Report
McDonald's Reportedly Ends IBM Partnership After AI Drive-Thru Ordering Errors at U.S. Locations
2021-06-02
Between 2021 and mid-2024, McDonald's reportedly piloted an AI-enabled voice ordering system that was developed with IBM and based on its 2019 acquisition of Apprente. It was reportedly deployed at at over 100 U.S. drive-thrus. Social media posts alleged frequent misorders, such as adding unwanted items, mixing adjacent lane orders, and ignoring corrections. In June 2024, McDonald's confirmed it ended the IBM pilot, citing plans to explore alternative voice-AI vendors.
MoreIncident 3603 Report
McDonald's AI Drive-Thru Allegedly Collected Biometric Customer Data without Consent, Violating BIPA
2021-10-15
McDonald's use of chatbot in its AI drive-through in Chicago was alleged in a lawsuit to have collected and processed voice data without user consent to predict customer information, which violated Illinois Biometric Information Privacy Act (BIPA).
More