A ransomware group known as the Everest Group claims it has breached the network of McDonald’s India and stolen a significant amount of internal data, according to a post on a darknet forum. The attackers said they exfiltrated about 861GB of files tied to the fast-food company’s operations in the country and threatened to publish the information unless a ransom demand is met.
The Everest Group is a Russia-linked ransomware gang that was previously associated with attacks on European airports and other large organisations. In its dark web notice on 20 January 2026, the group said it obtained internal documents and personal data of customers and employees connected to McDonald’s India. The attackers set a deadline in their message for when the full list of allegedly stolen files would be released publicly if McDonald’s did not engage in ransom negotiations.
Samples of the data posted by the ransomware group showed what the attackers described as customer contact information, employee records, and internal financial reports. Cybersecurity analysts who reviewed the samples noted that much of the material appeared to be older and may date from previous years. The presence of personal data, even if not recent, could elevate the risk of fraud or social engineering against individuals whose information was included.
McDonald’s India has not publicly confirmed the breach or responded with details about the scope of the claims. In similar attacks, ransomware groups often use public naming of victims as a tactic to pressure organisations into paying to prevent data leakage. If negotiations fail, such groups may publish stolen files or put them up for sale on illicit markets.
Ransomware incidents involving large companies have become a recurring feature of the global cybersecurity landscape. Criminal groups exfiltrate data and encrypt systems, combining data theft with encryption to strengthen their leverage. The Everest Group’s activity forms part of this broader pattern, as attackers exploit network vulnerabilities to access and copy files before making extortion demands.
Exposure of internal business documents and personal data can have multiple implications. Beyond potential harm to individuals, leaked information about operations, financial performance, or strategic plans might offer competitors or malicious actors insights that companies typically keep confidential. Organisations targeted by ransomware must weigh responses that include incident containment, cooperation with law enforcement, and communication with affected stakeholders.
As of the latest updates, it remains unclear whether McDonald’s India or its parent company will make a public disclosure about the alleged breach or whether regulatory authorities have been notified. Similar ransomware events involving major brands have prompted investigations by cybersecurity agencies and data protection regulators, reflecting the complex legal and operational issues raised by such incidents.