A malware attack is to blame for the Delta and Sears breach.
Delta Airlines and Sears disclosed a major data breach on Thursday (5 April) that may have exposed thousands of online customer payment card details.
A software vendor known as [24]7.ai is apparently to blame for the breach. None of the internal databases of affected companies were breached but instead, some malware hidden temporarily inside [24]7.ai’s chat service could have harvested user payment information after a transaction was completed.
A spokesperson for Delta told CNet that customers who did not use the online chat could still be affected. “Any customer who entered payment data on Delta.com during September 26 to October 17 may have had their information accessed.”
Numerous companies affected
Delta admitted that hundreds of thousands of customers could have had data stolen. Sears, which owns popular retail outlet Kmart, pegs its affected customers at fewer than 100,000.
Best Buy, the massive electronics retailer, also said its customers had been affected by the breach due to them using the malware-spiked customer service chat (or indeed, just entering billing details into the company’s desktop site).
[24]7.ai said that the issue only affected a small number of its client companies, and both it and Delta said there is no proof any data was stolen, only that the window of opportunity had been open. In a statement, [24]7.ai said: “We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed.”
This may change, as Delta was only informed of the breach at the end of March while Sears was told in the middle of the month.
Best Buy and Delta will offer free credit monitoring to customers and Sears is providing updates on this website.
Third-party attacks in the increase
Fred Kneip, CEO of risk management platform CyberGRX, said the breach is yet another example of a third-party vulnerability, something that is becoming increasingly common. “Just like no one knows the name of the HVAC vendor that led to the Target breach in 2013, no one will remember the name of this contractor when all is said and done.
“Instead, customers will remember that Sears and Delta put their data at risk. When third parties demonstrate weak security controls, the blame and the headlines will always gravitate toward the companies with name recognition.
“A real-time assessment of third-party cyber risk has to be a part of the vetting process when companies engage with any third party, including vendors, suppliers and outsourcers.”
A Delta aircraft. Image: Markus Mainka/Shutterstock