After information on 825,000 Delta Airlines customers was exposed and potentially stolen by at least one hacker in 2017, the airline has filed suit against chatbot vendor 7.ai, claiming poor security led to the breach.
Delta also took aim at the vendor for waiting nearly six months to disclose the breach, according to the suit filed in the U.S. District Court for the Southern District of New York. Even then, disclosure was made via LinkedIn, the airline said, rather than directly to Delta as their contract required.
A bad actor likely credit card data as well and names and addresses of the airline’s customers.
“What’s particularly interesting about this situation is that Delta seems to have had contract provisions (“adequate security, including encryption” according to the article) and had its provider sign a GDPR compliance addendum in February 2018 requiring immediate breach notification, five months before notifying Delta about the breach,” said Gary Roboff, Senior Advisor at Shared Assessments. “Delta says its vendor was aware of the breach when it signed that agreement.”
But the airline’s success with the suit may rest on how specific the contract language is. “If Delta actually used the words ‘adequate security’ instead of defining more precisely what good security hygiene means, that could be a problem,” said Roboff.