Hamburglar strikes again, feasts on $2,000 in meals using customer's McDonald's app

The mysterious Quebec hamburglar has struck again, racking upmore than $2,000 worth of meals at different McDonald's in Montreal. This time, anunsuspecting Toronto tech writer got stuck with the bill.

"I was just panicked because that's a lot of money," said Patrick O'Rourke, managing editor of the tech news site, MobileSyrup.

The fraudster pulled off the fast-food scam by infiltrating O'Rourke'sMcDonald's mobile appaccount,which was linked to his debit card. The scammer then used the app to order more than 100 meals for pick-up between April 12 and 18. The smorgasbordincluded McFlurries, Big Macs, Chicken McNuggets and poutine.

"It could be one guy who was able to hack my account and he shared it with a bunch of his friends across Montreal, and they all just went on a food spree," said O'Rourke, who's baffled by the crime.

His case follows a string of complaints from other Canadian customers who've claimed either online or to media outlets that someone hacked their McDonald's appaccount and ran up big bills.

None of the four victims CBC News hasinterviewed live in Quebec, but in each case, fraudsters ordered meals for pick-up at a McDonald's in the province.

O'Rourke's bank eventually refunded his money, but he's unhappy with how McDonald's handled the matter. Heclaims the company missed the mark by doing little to help himand by not issuing warnings to other customers.

"To me, it just seems like a little bit negligent ...like they don't really care," he said."McDonald'sshould at least be sending out a mass email to everyone that has the account [to say], 'Hey, you should reset your password.'"

The Canadian McDonald's app, calledMy McD's, is just the latest target for cyber criminals. Last year, theywere busystealingAeroplan and PC Optimum rewards points from some members' online accounts. Many of the fraudsters involved in PC Optimum cases also carried out their crimes inQuebec.

Cybersecurity expert Ritesh Kotak said that in the digital era, companies need to pullout all the stops to protect consumers from cyber criminals.

"We're moving to a cashless society,"said Ritesh who's based in Toronto. "They put all this money into app development, are they putting the same amount of money and rigour and research into the security component of it?"

McDonald's Canada told CBC News that it's only aware of "some isolated incidents" involving compromised app accounts. The company said it keeps personal information secure and that it's confident in the security of its app.

McDonald's didn't say how fraudsters have infiltrated customeraccounts, but it recommended that customers practice due diligence by beefing up their passwords and keeping them secure.

"If guests notice any unauthorized purchases, we recommend they contact their bank and change their password immediately," said spokesperson Adam Grachnik in an email.

Where's my refund?

Grachnik also saidMcDonald's app users receive an email confirmation after every transaction.

O'Rourke'sbill which totaled $2,034 consisted of more than 100 email receipts.He didn't notice them until they had run up over the course of a week, because the emails landedin a separate "updates" folder in hisinbox.

When he called McDonald's to report the case, O'Rourkesaid he was surprised that the company wouldn't refund his money, and instead told him to deal with his bank.

"I find it pretty shocking that a massive company like McDonald's wouldn't just take responsibility for something like this," he said. "They have more than enough money to be reimbursing people for these issues."

Brian Coleman of Kitchener, Ont., was also disappointed when McDonald's didn'tofferhim a refund. Someone used his app in late March to run up $267 worth of McDonald's orders in Montreal.

"I expected them to do the refund because it wastheir fault," he said. "It's their application. If it's not secure, they should take responsibility."

Coleman had his app linked to his credit card, so McDonald's directed him to his credit card company which eventually issued the refund.

Cybersecurity expert Kotak said even if the culpritis something as simple as a weak password, McDonald's should keep customers informed and work with victims to resolve problems.

"When something like this happens, it's a real step back and a loss of consumer trust," he said.

"They need to bring in experts to say, 'This is the reason for this,' and then work with the banks to ensure that consumers are refunded."

Kotek also recommends that McDonald's implement more protections such as two-step authentication when members access their account.

PC Optimum recently launched stronger password requirements and two-step authentication following its spate of points thefts.

CBC News asked McDonald's what steps it has taken in light of the recent fraud cases.

"Similar to other apps, we are constantly improving the My McD's App and updating it with enhancements to make the user experience as strong and safe as possible," said spokespersonGrachnik.