The Everest ransomware group has reportedly compromised McDonald’s India, the local branch of the American fast-food conglomerate. The group announced its claims on its official dark web leak site on January 20, 2026, alleging a substantial exfiltration of 861 GB of customer data and internal corporate documents.
In an effort to substantiate their claims, Everest has shared internal screenshots. An examination of these images reveals sensitive financial documents from 2023 to 2026, including audit trails, cost tracking sheets, ERP migration files, and proprietary pricing information. The data appears organized into directories that signify detailed access to accounting or enterprise resource planning systems, with one folder labeled “Investor Info,” hinting at the inclusion of confidential materials intended for board members.
Among the disclosed files is a spreadsheet titled “Contact Database,” which reportedly details personal information of investors and business partners, encompassing names, mailing addresses, phone numbers, and email addresses from several countries, including the United States, the United Kingdom, Singapore, and India. Furthermore, internal store-level data has been exposed, containing the names and contact information of management personnel across various outlet locations, all with company-issued email addresses ending in mcdonaldsindia.com.
The Everest group has claimed that the breach encompasses customer data and has set a two-day ultimatum for McDonald’s India to respond to the allegations. As of now, there has been no official statement from the fast-food chain. It is essential to approach these claims with caution, as they remain unverified pending a response or further evidence from the company.
Ongoing Attacks by Everest
Ranked as one of the most active ransomware entities throughout 2025, Everest appears to be sustaining its aggressive approach into 2026. The group has previously claimed responsibility for attacks on notable organizations, including Nissan, ASUS, Chrysler, Iberia Airlines, Under Armour, Petrobras, AT&T, and Dublin Airport.
In the context of the MITRE ATT&CK framework, this breach potentially involves several adversary tactics and techniques. Initial access methods might include phishing or exploitation of unpatched vulnerabilities, while the sophisticated organization of the data indicates techniques related to lateral movement or privilege escalation. Persistence mechanisms could involve establishing access through compromised accounts or leveraging backdoor entries within systems.
Cybersecurity experts at Hackread.com are monitoring the evolving situation and have reached out to McDonald’s India for comments regarding the alleged breach. As of the time of reporting, no official response has been given, underscoring the need for constant vigilance in cybersecurity practices among businesses.
