Delta and Sears suffer data breach, credit card information compromised

US-based Delta Air Lines and Sears Holdings, the owners of Sears and Kmart, have announced that the breach suffered by chatbot company [24]7.ai has resulted in the compromise of credit card information of its customers.

According to a statement by [24]7.ai, which provides online support services to the two companies, the incident began on September 26 and was discovered and contained on October 12, 2017.

Sears Holdings says that the incident involved unauthorized access to less than 100,000 of their customers’ credit card information, but that customers using a Sears-branded credit card were not impacted.

“As soon as [24]7.ai informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms,” the company noted.

Delta said that even though only a small subset of their customers would have been exposed, they cannot say definitively whether any of their customers’ information was actually accessed or subsequently compromised. Still, they made sure to point out that “no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.”

“On Thursday Delta launched delta.com/response, a dedicated website, which we will update regularly to address customer questions and concerns. We will also directly contact customers who may have been impacted by the [24]7.ai cyber incident. In the event any of our customers’ payment cards were used fraudulently as a result of the [24]7.ai cyber incident, we will ensure our customers are not responsible for that activity,” the company added.

Both companies said that they were informed of the incident in March 2018. It is unknown why [24]7.ai did not notify them of the incident sooner.

“The Sears and Delta breaches precisely show how interconnected companies digital ecosystems are and why attacks on third parties are so prevalent. This stands out because it is two for the price of one, Fred Kneip, CEO, CyberGRX, commented.

“As with so many similar attacks before, the breaches taking place at Sears and Delta were introduced by a vulnerability from a third party, in this case a small customer service shop. Just like no one knows the name of the HVAC vendor that led to the Target breach in 2013, no one will remember the name of this contractor when all is said and done. Instead, customers will remember that Sears and Delta put their data at risk. When third parties demonstrate weak security controls, the blame and the headlines will always gravitate toward the companies with name recognition. A real-time assessment of third-party cyber risk has to be a part of the vetting process when companies engage with any third party, including vendors, suppliers and outsourcers.”

Laurie Mercer, Solutions Engineer at HackerOne, says that this incident raises many questions about how we can secure data that we enter into third party systems and manage the security of vendors.

“Today consumers are asking more and more questions about where our data resides, and how our data is being protected. These concerns are reflected in legislation like the General Data Protection Regulation in the EU. This breach highlights the importance of securing the vendor ecosystem as well as our own in-house systems,” he noted.