Security researchers are pinning a recent data breach – that potentially exposed the credit card information of hundreds of thousands of Delta Air Lines and Sears Holdings customers – on weak third-party security policies.
The cyberattack hit software service provider [24]7.ai, a company that provides online chat services for Delta, Sears and other companies. Hackers targeting [24]7.ai were able to use the platform to collect payment information for Delta and Sears customers.
The attacks began on Sept. 26, 2017 and continued through Oct. 12, according to [24]7.ai. The service provider said there systems were targeted in a malware attack, but declined to detail the nature of the incident. The company said Wednesday that their systems are now secure.
Sears, which said in a statement they were informed of the breach in mid-March, said it believed the incident involved access to less than 100,000 customers’ credit card information.
Delta, meanwhile, said only “a small subset” of customers had been impacted, but did not specify the number. The airline company was informed of the breach on March 28.
Delta said in a statement that “no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.”
Meanwhile, Sears said that customers using a Sears-branded credit card were not impacted and “there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible.”
The incident is reminiscent of the 2013 Target breach, which spilled the information of up to 70 million customers. That breach was targeted not through Target systems, but through a third-party HVAC system that was vulnerable.
“Much like the notorious Home Depot and Target hacks, it’s important for large companies that ship data to third parties to be vigilant and persistent on the security postures of their vendors,” said Zach Allen, director of Threat Operations at ZeroFOX.
Fred Kneip, CEO of CyberGRX, told Threatpost that companies need to adopt a vetting process that includes a real-time assessment of third-party risks.
“The Sears and Delta breaches precisely show how interconnected companies digital ecosystems are and why attacks on third parties are so prevalent. Whether it’s chat services or using ADP for payroll, over the last several decades companies are no longer self contained and they don’t have tight controls over the other companies they work with,” Kneip said.
In particular, online chat features offered by companies such as [24]7.ai pose a “major cybersecurity liability,” tweeted Brian Krebs.
Delta Airlines apparently leaked a bunch of customer payment data through its online customer chat feature https://t.co/7c2Nyxw8Dn < In general I'd say these online chat features are a major cybersecurity liability for most corporations, esp. for threat from social engineering
— briankrebs (@briankrebs) April 4, 2018
In response to the incident, Delta said it will launch a dedicated website (delta.com/response) on Thursday to address customer questions and concerns. The company said it would also directly contact customers who may have been impacted by the breach.
Sears said it will notify impacted customers and post updates to its corporate website.