McDonald's said that customer information was exposed after a security breach involving an email marketing management firm.

McDonald’s released a statement explaining that information was obtained by an “unauthorized third party,” but added that financial information and social security numbers were not part of the data accidentally exposed:

“We have been informed by one of our long-time business partners, Arc Worldwide, that limited customer information collected in connection with certain McDonald’s websites and promotions was obtained by an unauthorized third party,” McDonald’s said in a statement. “Arc retained the services of an email database management firm whose computer systems were improperly accessed by a third party.”