Search

Everest Ransomware Gang Claims McDonald’s India Data Theft

Cyber threats and incidents
By Evan Rowe

Related

Cyber threats and incidents

Socelars Malware Actively Targeting Windows to Steal Business Credentials

What happened Security analysts have identified Socelars, an information-stealing Trojan...
Read more
Cyber threats and incidents

Sophisticated Teams-Based Malware Delivery Campaign Hits Niche Industry Sectors

What happened A new phishing campaign leverages Microsoft Teams meeting...
Read more
Cyber threats and incidents

Axios Vulnerability Could Enable Prototype Pollution in JavaScript Projects

What happened A security vulnerability in the widely used Axios...
Read more
Cyber threats and incidents

Windows Error Reporting Service Vulnerability Lets Local Users Escalate Privileges

What happened A security vulnerability in the Windows Error Reporting...
Read more
Cyber threats and incidents

VoidLink Linux C2 Highlights Use of LLM-Generated Malware Components

What happened Security researchers have identified a Linux-focused command-and-control (C2)...
Read more

Share

What happened

The Everest ransomware gang claims a McDonald’s India breach on January 20, 2026, saying it exfiltrated 861 GB of data and posted the allegation to its leak site. The group said the stolen material includes internal documents and customer personal data, and it threatened to publish the data if McDonald’s India does not respond within its stated deadline. The report notes McDonald’s India operates through Connaught Plaza Restaurants (North and East India) and Hardcastle Restaurants (West and South India). The incident is described as data-theft-led extortion, where attackers focus on stealing information and using publication pressure rather than only encrypting systems. The report also describes Everest as a Russian-speaking operation active since 2020, associated with “pure extortion” tactics.

Who is affected

McDonald’s India and its operating entities Connaught Plaza Restaurants and Hardcastle Restaurants are directly impacted if the claimed data theft is accurate. Potential exposure involves internal business documents and customer personal data tied to India operations. Downstream risk is indirect for customers and partners whose information may be included in the dataset.

Why CISOs should care

Large-scale data-theft extortion creates material regulatory, reputational, and customer-trust impact even without confirmed encryption. If internal documents and customer records are involved, the incident can accelerate phishing and fraud campaigns and complicate breach response across multiple legal entities and regions, raising operational and communications complexity.

3 practical actions

  • Validate data-exfiltration claims quickly: Correlate logs, DLP alerts, and egress telemetry to confirm whether unusual outbound transfers align with the alleged 861 GB theft window.

  • Contain likely initial access and persistence: Rotate exposed credentials, review remote access pathways, and isolate systems showing suspicious admin activity tied to potential exfiltration workflows.

  • Prepare customer and regulator response workflows: Inventory potentially affected data domains and align legal, privacy, and communications teams on notification triggers and evidence requirements.

Previous article
CISOs & Security Leaders to Watch in UK Food & Beverage
Next article
Gootloader Malspam Chain Uses Malformed ZIPs to Evade Detection and Enable Ransomware
Cyber threats and incidents

Socelars Malware Actively Targeting Windows to Steal Business Credentials

What happened Security analysts have identified Socelars, an information-stealing Trojan...
Cyber threats and incidents

Sophisticated Teams-Based Malware Delivery Campaign Hits Niche Industry Sectors

What happened A new phishing campaign leverages Microsoft Teams meeting...

Subscribe to our stories

To be updated with all the latest news, offers and special announcements.