Delta Airlines, Sears, Kmart and Best Buy and others have all been hit with a data breach that is connected with Indian Company [24]7.ai. According to a statement from the company, it “discovered and contained an incident potentially affecting the online customer payment information of a small number of our client companies, and affected clients have been notified.” The incident took place Sept. 26 and was finally shut down on Oct. 12, 2017. The company has notified notified law enforcement.
[24]7.ai claims the breach affected a small number of clients but, in reality, that small number contains some the biggest, most well known, companies in the U.S. and the world.
[24]7.ai is a third party vendor that provides online and mobile chat services. According to CNET in addition to the above mentioned companies other big name companies potentially impacted by the breach include Hilton, AT&T, Citi, American Express, eBay and Farmers Insurance. Both American Express and Farmers Insurance have confirmed they were unaffected by the breach.
According to Sears, owners of K-Mart, unauthorized access to customer payment information was limited to less than 100,000 of its customer’s credit card information. Sears says there was no evidence that stores were compromised or that any internal Sears systems were inappropriately accessed.
Delta airlines, among the worlds largest, reported that certain customer payment information may have been accessed but denied other customer personal information, such as passport, government ID, security or SkyMiles information was impacted. “As best we can tell, only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.” But Delta also stated that it can’t confirm if customer data was actually compromised. Delta is continuing its investigation and has launched a dedicated website to provide the latest developments to customers.
Delta stated that software used by [24]7.ai may have exposed the payment information of as many as several hundred thousand customers using Delta’s PC-accessed website. The company is especially concerned because customers didn’t have to interact with the chat tool to be hit by the hack.
According to Delta customer information compromised includes names, addresses, payment card numbers, CVV numbers, and expiration dates. Customers using the Delta’s Wallet service are considered safe as the malware could only grab information entered on the screen. Delta Wallet “masks” this sensitive information.
Electronic retailers Best Buy also acknowledged it was hit by the same data breach related to [24]7.ai. In a blog post Best Buy said that [24]7.ai had informed the company that an “illegal intrusion” had occurred between September 27 and October 12, 2017. Best Buy says it will inform affected customers directly and they will not be liable for fraudulent charges. It will also offer free credit monitoring.