McDonald's ‘123456' Password Scare Reframes Responsible AI Debate

Forbes

a day ago

A security flaw on the McHire platform jeopardized 64 million applicants' data.
Set aside aspirational AI rhetoric, alarmist consultant pitches and techno-babble.
AI success requires candor about incentives, incompetence and indifference.
McDonald's learned that harsh lesson (in a relatively costless way) when two security researchers used '123456' as the username and password to astonishingly fully access the Golden Arches hiring platform — and over 64 million applicants' personal data.
The noble cyber sleuths, Ian Carroll and Sam Curry, reported the flaw to McDonald's and its AI vendor, Paradox, for swift technical resolution. If nefarious actors found the lax vulnerability, McDonald's leadership would be mired in a costly, public crisis.
So, will the fast-food goliath learn from this 'near-miss' to improve tech governance? Will others tap this averted disaster for overdue responsible AI introspection and action? It depends. Widespread and hushed AI deployment problems need thornier fixes than many boards and senior executives will acknowledge, admit or address.
Super-sized opportunities
Workplace crises can be proactively prevented (or eventually explained) by tackling incentives, incompetence and indifference with stewardship, capability and care.
The Golden Arches 'near miss' exemplifies that and the timing couldn't be better. While 88% of executives surveyed by PwC expect agentic AI spending increases this year, many struggle to articulate how AI will drive competitive advantage. Nearly 70% indicated that still half or fewer of their workforce interacts with agents daily. Indiscriminately 'throwing money' at issues can create more problems than it solves.
Here's a better start.
Dissect incentives. Talent, culture and bureaucratic entrenchment stymie big firms desperate to innovate. Nimble, bootstrapped startups tantalizingly fill those voids, but crave revenue and reputation. Stalled AI implementations only fuel that magnetism.
Typically, the larger organization the makes headlines when deals falter. How many leadership teams meaningfully assess third-party risk from an incentives perspective? Or do expedited results more strongly appeal to their own compensation and prestige hunger? Is anyone seriously assessing which party has more (or less) to lose?
Nearly 95% of McDonald's 43,000 restaurants are franchised. With over 2 million workers and aggressive growth aims, automating job applications is a logical AI efficiency move. Its selected vendor, paradox.ai, whose tagline boasts 'meet the AI assistant for all things hiring' seemed like a natural partner. At what hidden costs?
Successful strategic alliances require an 'outside-in' look at a counterparty's interests. Three of the seven-member Paradox board are private equity partners, including chair Mike Gregoire. In Startups Declassified, acclaimed business school professor and tech thought leader Steve Andriole emphasizes flagship revenue's valuation criticality, 'There's no more important start-up activity than sales — especially important are the 'lighthouse' customers willing to testify to the power and greatness of products and services. Logo power is [vital] to start-ups.'
'Remember that no one wants to buy start-ups unless the company has killer intellectual property or lists of recurring customers. Profitable recurring revenue is nirvana. Exits occur when a start-up becomes empirically successful,' he continued.
Assess skill and will. Despite its global presence, digital strategy imperatives and daily transaction volume, the 2025 McDonald's proxy reveals three common AI-era oversight shortfalls: inadequate boardroom cyber expertise, no technology committee and cybersecurity relegated to audit oversight. Those are serious signaling problems.
In fact, the word 'cybersecurity' only appears nine times across the 100-page filing. In the director qualifications section, information technology is grouped with cybersecurity and vaguely defined 'contributes to an understanding of information technology capabilities, cloud computing, scalable data analytics and risks associated with cybersecurity matters.' Just four of the eleven directors are tagged as such.
While three of those four worked in the tech sector, none has any credible IT or cybersecurity expertise. Intriguingly, not one of the four, board member and former Deloitte CEO Cathy Engelbert has the best experience to push stronger governance. Is she, now the prominent WNBA league commissioner, willing to take such contentious risk? To start, she can tap longtime McDonald's CFO Ian Borden and auditors EY for guidance and ideas on bolstering board composition.
Nearly 95% of McDonald's 43,000 restaurants worldwide are franchised.
When tech issues arise, fingers, by default, point at the IT team. However, responsible AI design and deployment truly require cross-functional leadership commitment.
McDonald's CEO Chris Kempczinski routinely touts a 4D strategy (digital, delivery, drive-thru and development) and characterizes the fast-food frontrunner's tech edge as 'unmatched.' That bravado brings massive expectations and he can't be happy with the '123456' password distraction. With annual compensation approaching $20 million annually, he also has a responsible AI obligation to current and future McDonald's workers making, on average, 1,014 times less — as well as the 40,000 franchisees.
Valerie Ashbaugh, McDonald's commercial products and platform SVP, rotates into the US CIO seat next month. The timing is ideal to institute policies, procedures and accountability for stronger third-party IT access controls.
Alan Robertson, UK ambassador to the Global Council for Responsible AI, astutely notes, 'The damage is done — not by hackers, but by sheer negligence. McDonald's has pinned the issue on Paradox. Paradox says they fixed it and have since launched a bug bounty program. It raises bigger questions for all of us. Who audits the third-party vendors we automate hiring with? Where does the liability sit when trust is breached at this scale? And what does 'responsible AI' even mean when basic cybersecurity hygiene isn't in place? We talk about ethics — but sometimes it's just about setting a password.' That's prototypical indifference — especially when the access key is "123456."
Likewise, HR leaders have a chance to meaningfully shape AI rollouts. 'HR needs to resist the urge to 'just go along.' There will be many HR leaders who simply wait for the various software lines they current license to add AI functionality. To do so would be a mistake. AI will become a critical part of the employee experience and HR should have a hand in that,' advises AthenaOnline SVP of customer solutions Mark Jesty. At McDonald's, EVP and global chief people officer Tiffanie Boyd holds that golden opportunity to elevate responsible AI on the board and c-suite agendas. Will she?
Responsibility knocks
The McHire 'near-miss' highlights how boards and c-suites can remain dangerously unprepared for AI design, deployment and oversight. Strategy speed and tech wizardry must never be at stewardship's cost. "If you're deploying AI without basic security hygiene, you're not innovating. You're endangering people. Security is not optional,' implores Avistar.AI CEO Ivan Rahman.
Who's opting for drive-thru AI governance?