Everest Ransomware Gang Claims McDonald’s India Data Theft

What happened

The Everest ransomware gang claims a McDonald’s India breach on January 20, 2026, saying it exfiltrated 861 GB of data and posted the allegation to its leak site. The group said the stolen material includes internal documents and customer personal data, and it threatened to publish the data if McDonald’s India does not respond within its stated deadline. The report notes McDonald’s India operates through Connaught Plaza Restaurants (North and East India) and Hardcastle Restaurants (West and South India). The incident is described as data-theft-led extortion, where attackers focus on stealing information and using publication pressure rather than only encrypting systems. The report also describes Everest as a Russian-speaking operation active since 2020, associated with “pure extortion” tactics.

Who is affected

McDonald’s India and its operating entities Connaught Plaza Restaurants and Hardcastle Restaurants are directly impacted if the claimed data theft is accurate. Potential exposure involves internal business documents and customer personal data tied to India operations. Downstream risk is indirect for customers and partners whose information may be included in the dataset.

Why CISOs should care

Large-scale data-theft extortion creates material regulatory, reputational, and customer-trust impact even without confirmed encryption. If internal documents and customer records are involved, the incident can accelerate phishing and fraud campaigns and complicate breach response across multiple legal entities and regions, raising operational and communications complexity.

3 practical actions

• Validate data-exfiltration claims quickly: Correlate logs, DLP alerts, and egress telemetry to confirm whether unusual outbound transfers align with the alleged 861 GB theft window.

• Contain likely initial access and persistence: Rotate exposed credentials, review remote access pathways, and isolate systems showing suspicious admin activity tied to potential exfiltration workflows.

• Prepare customer and regulator response workflows: Inventory potentially affected data domains and align legal, privacy, and communications teams on notification triggers and evidence requirements.

John Kevin Hao

+ postsBio ⮌

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

• John Kevin Hao

  CISO Diaries: Alessio Cipolletta on Security in Safety-Critical Aviation Environments
• John Kevin Hao

  FBI Warns of Kali365 Phishing-as-a-Service Platform After April Microsoft 365 Attacks
• John Kevin Hao

  Ukraine Probes Teen Suspect in Cyber Theft Scheme Targeting California Online Shoppers
• John Kevin Hao

  CISO Diaries: Jason Scanlon on Security Culture, Leadership, and the Human Side of Cybersecurity