McDonald’s is the latest big company to be hit by a data breach that has exposed customers’ details.
The breach included e-mail, delivery addresses and phone numbers – but not payment details.
A spokeswoman for the firm said it would take steps to “notify regulators and customers listed in these files”.
The details of the breach, first reported by the Wall Street Journal, were discovered during an external investigation after unauthorised activity was spotted on the company’s network.
The company said its “substantial investment” in cyber security meant it was identified quickly.
“These tools allowed us to quickly identify and contain recent unauthorised activity on our network. A thorough investigation was conducted, and we worked with experienced third parties to support this investigation,” it said.
Operations at its restaurants were not affected by the hack.
The fast food firm did say, however, that personal data on employees was also accessed – although it did not say in which countries.
“In the coming days, a few additional markets will take steps to address files that contained employee personal data.
“Moving forward, McDonald’s will leverage the findings from the investigation as well as input from security resources to identify ways to further enhance our existing security measures.”
The chief executive of Colonial Pipeline also told senators this week that the decision to pay a $4.4m (£3.1m) ransom to hackers in Bitcoin in May was the “hardest decision” of his career. The majority of that money has since been recovered by the US Department of Justice.