Sears and Delta Airlines customers' payment data exposed by third-party vendor breach
Sears and Delta Airlines customers' payment data exposed by third-party vendor breach

A third-party vendor data breach that took place last autumn exposed payment card information belonging to customers of Delta Airlines; Sears, Roebuck and Company; and possibly additional businesses, according to three separate public disclosures.

On Thursday, San Jose, Calif.-based customer acquisition and engagement services provider [24]7.ai reported via press release that the unspecified cyber incident took place from Sept. 26 - Oct. 12, 2017, affecting online payment data collected by a "small number of our client companies."

The vendor, which provides solutions for online chat, virtual agents and customer analytics, did not specify precisely how many of its clients are involved, and a company spokesperson did not answer any questions from SC Media, citing "client confidentiality agreements."

Delta Airlines and Sears also published disclosures, noting that [24]7.ai notified them of the breach only in March --even though [24]7.ai says the matter was resolved back on Oct. 12. Sears, which operates the Sears and Kmart retail chains, said it learned of the incident in "mid-March," while Delta stated it became aware of the event on Mar. 28.

According to Sears' disclosure, fewer than 100,000 consumers were impacted, and customers using a Sears-branded credit card were not among those impacted. The company also noted that there is "no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible." 

"[24]7.ai has assured us that their systems are now secure," Sears added.

Meanwhile, Delta said only that a "small subset of our customers" was involved, adding that it was unable to "say definitively whether any of our customers' information was actually accessed or subsequently compromised."

Aside from payment data, "no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted," Delta continued.

Both companies said they are coordinating with federal law enforcement authorities and IT security experts. Sears also plans to create a hotline for customers by Friday, while Delta has set up a dedicated website to keep customers informed and updated.

“The Sears and Delta breaches precisely show how interconnected companies' digital ecosystems are and why attacks on third parties are so prevalent. This stands out because it is two for the price of one," said Fred Kneip, CEO, of CyberGRX. "Just like no one knows the name of the HVAC vendor that led to the Target breach in 2013, no one will remember the name of this contractor when all is said and done. Instead, customers will remember that Sears and Delta put their data at risk."

Kneip suggests that that companies thoroughly vet the security practices of third-party vendors -- a sentiment echoed in comments by Zack Allen, director of threat Operations at ZeroFOX.

"...It's important for large companies that ship data to third parties to be vigilant and persistent on the security postures of their vendors," said Allen. "Security questionnaires may provide legal protection, but because digital and brand security is a rapidly emerging risk for large companies, they should invest more into truly scrutinizing their vendor's security practices. This will become more of an issue as a competitive market of vendors rise to meet businesses needs while the cybersecurity skills and jobs gap fails to meet the supply."

Craig Young, computer security researcher for Tripwire's VERT (Vulnerability and Exposure Research) Team, said that several key questions continue to linger on the heels of the companies' disclosures. "Why was the breach window so short?" Young asked. "Were the attackers discovered and booted back in October? If so, why is it that we are only learning of the breach nearly six months later? If not, how can (24)7.ai be so confident of the scope of the breach?"