The McDonald’s app in India had a gaping security hole and researchers pointed it out in public last week. When asked about the security flaw, the company sent out the following response:

“We would like to inform our users that our website and app does not store any sensitive financial data of the users like credit card details, wallets passwords or bank account information. The website and app has always been safe to use, and we update security measure on regular basis. As a precautionary measure, we would also urge our users to update the McDelivery app on their devices. At McDonald’s India, we are committed to our users’ data privacy and protection.”

What’s appalling about this statement is that it’s non committal at best and takes its users’ security for granted. The company does not take responsibility for the vulnerability and even tries to give a false sense of security to the user. Sure, the app doesn’t store financial data. But personally identifiable information like phone numbers, names and addresses stored by the company and left exposed by the security flaw, should have been secured.

The statement further goes on to say that users must update the app as McDelivery app on their devices. If the website and app has ‘always been safe to use,’ the timing of ‘we urge the users to take precautionary measures,’ is suspect.

In India, companies often tend to brush hacks and security breaches under the carpet, hoping that no one will ever find out. Take for instance, the case of high profile hacks that happened when a hacker group called Legion compromised servers. All companies denied being hacked. But this poses a huge risk to users, who are completely unaware that their data has been compromised. In countries like US, there are strict security breach notification laws. Companies are required to notify customers and other stakeholders about the breach and take steps to protect their data.

Also see: Exclusive: Interview with hacker group Legion