Customers of Sears, Sears subsidiary Kmart and Delta Airlines have had their customer payment information stolen, thanks to a cybersecurity breach at a software provider that they all use.
The firm, called [24]7.ai, provides online customer support services based on artificial intelligence and machine learning. The breach affected users processed through its platform starting on September 26, 2017; the issue persisted until its discovery on October 12, 2017. It is, however, just now notifying its customers; Sears said it wasn’t notified of the incident until mid-March, and Delta only found out on March 28. Other details are scant.
“The unknown factor is whether or not that information was encrypted, or how,” said Lee Munson, security researcher at Comparitech.com. “From an incident response point of view, it is a shame to learn [that] the attack has only now come to light, having occurred and been spotted last year, though we are, of course, unaware of when affected customers were notified.”
The department store said that hackers were able to access credit-card information of about 100,000 of its customers across Sears and Kmart. Delta didn’t provide numbers but characterized the number of affected users as a “small subset” of its customer base. The airline also said that personal details related to passport, government identification, security and SkyMiles information were not impacted.
It’s unclear if other clients are also affected, but the issue has the potential to be far-reaching. The company said itself that the “world's largest and most recognizable brands are using intent-driven engagement from [24]7.ai to assist several hundred million visitors annually, through more than 1.5 billion conversations, most of which are automated.”
The issue, unlike other payment-card breaches, doesn’t involve point-of-sale malware or a network compromise at the affected companies but rather a weak link at a partner. Third-party contractors are just a fact of today’s corporate life, meaning that businesses need to be aware of the security profile of one’s technology partners.
“It’s impossible during this day and age to keep every process and operation under one roof, which introduces a myriad of security and business risk issues that are sometimes impossible to keep track of at all times," said Manoj Asnani, VP product and design, Balbix, via email. “In the case of technology firm [24]7.ai, it is an extremely large responsibility to hold this kind of sensitive information, which should serve as a daily reminder that this data and the systems housing it [are] your lifeblood. Rarely do enterprises have visibility into their partners’ data security practices, yet it is assumed that their respective information will be secured at all costs. This is a big miss and opportunity for change. Whether you’re an enterprise trying to secure your data or a third party managing [personally identifiable information] for someone else, it is imperative that you proactively think across all threat vectors and prioritize monitoring, security fixes and the most stringent policies based on business criticality.”