An interesting story. A customer at McDonald’s UK transacted with the company and received an email with database credentials. Like a good customer, he tried to reach the company to make them aware of the exposure. And he tried. And tried.
It seems McDonald’s needs to review and streamline their incident response process (if any), including notification channels. An incident response plan needs to be thought through, documented and tested. This would include making it easy for an incident to be reported.
Also, something must have been very badly misconfigured for the login details to be sent to random people in the first place. This implies that some code was written and went live, probably without being reviewed or tested. Perhaps the particular scenario that resulted in the database credentials being emailed was not anticipated, but it would appear the customer was not doing anything extraordinary, so this flaw should have been caught.