Delta Air Lines and Sears Holding Corp. on Thursday disclosed a data breach that may have exposed the payment card details of hundreds of thousands of online customers.
The breach originated at a software vendor called 7, which provides Sears, Delta, and other businesses with online chat services. Less than 100,000 Sears customers were supposedly impacted, according to Sears. A Delta spokesperson said hundreds of thousands of travelers are potentially exposed.
Gizmodo has learned the breach was the result of a malware attack, and that the unauthorized access involved payment card numbers, CVV numbers, and expiration dates, in addition to customers’ names and addresses.
In a statement, 7 said the breach occurred on September 27th of last year and was contained roughly two weeks later. In a statement, Sears said it was first notified about the breach in mid-March. Credit card companies have been notified, and law enforcement is likewise investigating the incident.
“Customers using a Sears-branded credit card were not impacted,” Sears said. “In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible.”
Delta said it would be contacting customers directly by first-class postal mail and launching a dedicated phone line and website for those affected. Free credit monitoring will be offered.
The nature of the malware involved has not been disclosed and it remains unclear whether the payment card information, which Delta say was entered by the customers themselves, got intercepted in transit or was improperly stored.
It is also unclear why more than five months passed before 7 notified Sears and Delta.
“Time is a critical factor for preventing fraud whenever there is a breach of financial data,” Craig Young, a security researcher at Oregon-based software firm Tripwire told Gizmodo. “Delta has assured customers that they won’t be held responsible for fraudulent charges, but it seems likely that if fraudulent charges related to this have not already been identified, there is little hope that they will ever be connected to this breach.”
In an email, a 7 spokesperson declined to offer any additional information, citing client confidentiality. They would not say why it took five and a half months to notify Delta and Sears about the breach.
“Taking five months to notify your customers about a breach is deplorable,” said Adriel Desautels, founder of the penetration testing company Netragard. “Not only does it keep your customers and their clients at increased risk, but it also provides the hackers with ample time to profit from their breach.”
Added Desautels: “This delay is a strong indicator that 7 did not have a well-defined incident response plan established prior to their breach. One of the key objectives of an incident response plan is to block additional damages once an incident is identified.”
According to its website, 7 serves a wide range of industries, from banking and healthcare to insurance and travel & hospitality. In addition to Delta and Sears, the company has provided customer service solutions to Vodafone, Merrill Lynch, Victoria’s Secret, and Hong Kong Disneyland, among others.
While Delta and Sears were identified as the only companies affected by the breach, it is not clear why that would be the case—if, in fact, it is.
Zack Allen, director of threat operations at ZeroFOX, a Baltimore-based security firm, told Gizmodo that to prevent breaches impacting their brands, businesses need to invest more time in scrutinizing their vendor’s security practices. “Much like the notorious Home Depot and Target hacks, it’s important for large companies that ship data to third parties to be vigilant and persistent on the security postures of their vendors.”
“This will become more of an issue as a competitive market of vendors rise to meet businesses needs while the cybersecurity skills and jobs gap fails to meet the supply,” Allen added. “The future for cybersecurity jobs looks both promising and daunting as the workforce lacks the manpower needed to prevent these incidents.”