Delta Airlines and Sears Corporation have both been notified of a data breach that has exposed the credit card information of some 100,000 Sears customers and “hundreds of thousands” of Delta customers.
Neither Delta nor Sears were breached directly. A live chat service called [24]7 (used by both companies), was breached, allowing access to Sears and Delta customer data including credit card numbers, CVV numbers, expiration dates, and cardholder names.
There are several wrinkles and interesting pieces of information that go hand in hand with this news.
First, if a customer has a Sears-branded credit card, their data was definitively not compromised. Second, according to [24]7, the breach of their system occurred on September 27, 2017, but the incident was not reported to either Sears or Delta until five months after the incident occurred.
Attempts to reach out to [24]7 to discover why it took them five months to notify their impacted customers have been met with silence. All the company will say about the matter is that the investigation is ongoing.
For their part, both Sears and Delta have been handling the fallout from the incident as well as can be expected. They’re in the process of notifying impacted customers, and free credit monitoring will be offered.
The key problem, however, is this: Since [24]7 waited five full months to notify Sears and Delta, any fraudulent charges that may have been made on customer credit cards have likely already been made. In addition, linking them to the breach at this point is going to be an uphill battle to say the least.
Security researcher Craig Young, who has been following the issue, had this to say:
“Time is a critical factor for preventing fraud whenever there is a breach of financial data. Delta has assured customers that they won’t be held responsible for fraudulent charges, but it seems likely that if fraudulent charges related to this have not already been identified, there is little hope they will ever be connected to this breach.”
Indeed, [24]7’s handling of the incident is a classic example of how not to handle an incident like this.