The customer name, postal address, phone number, birth date, gender, and information about promotional preferences may also have been exposed, the company said in an FAQ on its Web site. Social Security numbers were not included in the database, the company said.
The data was managed by an e-mail database management firm hired by Arc Worldwide, a "longtime business partner" of McDonald's, according to a recorded message on the company's toll-free number. The unnamed database management firm's computer systems were improperly accessed by a third party, McDonald's said.
McDonald's did not disclose the number of records involved or when the breach happened. McDonald's representatives did not immediately return a call seeking comment this morning.
"This incident has nothing to do with credit card use at the restaurants," the FAQ says. "The database that was accessed by the unauthorized third party did not contain any credit card information or any other financial information. Further, the information in the database was not gathered from our restaurant registers, but from voluntary subscriptions to our websites or promotions."
McDonald's is informing customers by sending e-mails to people who subscribed on the sites and has notified law enforcement authorities. The company advised customers to be wary of anyone calling them reporting to be from McDonald's and to report it to the company if that happens.
Meanwhile, customers can unsubscribe at the bottom of its Mcdonalds.com site.