Delta, Sears Customer Data Breach Exposes Risks of Third Party Providers Once Again

Once again, a third-party vendor may have exposed sensitive credit card information of hundreds of thousands of Delta Air Lines and Sears. The attack shows the vulnerability to reputation and risk from attacks on third party vendors.

The company, [24]7.ai, a customer services company, says that it was a malware attack in late 2017 that made the attack possible.

Both Sears and Delta pointed the blame soundly, and apparently rightfully so, at [24]7.ai. Both Sears and Delta said that [24]7.ai didn’t inform them of the breach until very recently.

Here’s Delta’s response:

On March 28, Delta was notified by [24]7.ai, a company that provides online chat services for Delta and many other companies, that [24]7.ai had been involved in a cyber incident. It is our understanding that the incident occurred at [24]7.ai from Sept. 26 to Oct. 12, 2017 and that during this time certain customer payment information for [24]7.ai clients, including Delta, may have been accessed – no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.

 Here's the statement from Sears:

[24]7.ai, a company that provides online support services to Sears and Kmart, notified us, as well as a number of other companies, that they experienced a security incident last fall.  We believe this incident involved unauthorized access to less than 100,000 of our customers’ credit card information.  As soon as [24]7.ai informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms.

As a result of that investigation, we believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised.

Disappointingly, while cruising over [24]7.ai’s website www.247.ai, I couldn’t find any information about the breach. There was plenty of information about AI and customer service, virtual agent benefits, competitive analysis, and links to charitable news coverage. It’s apology or culpability for a breach of several hundred thousand customers? How the company will avoid such outcomes in the future? Nope. If such information is on the company’s website, I couldn’t find it.

Will customers of Sears and Delta hold [24]7.ai responsible? No. They are going to hold Sears and Delta responsible. This shows while it’s possible to outsource risk, it’s not possible to outsource responsibility — not in the eyes of the customers.

While many enterprises I interview do have a process to vet the security of third parties, too many actually do not. I’d say about half do not. This is interesting despite the steady news of third-party security breaches. As more enterprises outsource non-core services to third party providers, it’s important that the contracts with external vendors include security checks.

In a survey conducted two years ago by the Ponemon Institute for BuckleySandler LLP  and Treliant Risk Advisors LLC found that More than a third of businesses "do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred,"

At least [24]7.ai proved late is (somewhat) better than never.

That survey also found that while 37 percent of respondents did not believe that they would be notified by their third-party vendors, a very high 73 percent did not think that fourth-n^th vendors [indirect service providers or subcontractors hired by a third-party vendor] would notify the parties unpon identifying a data breach.

That survey also highlighted third-party risks that remain true: 

• Companies are often uncertain if their third parties had a data breach: Half of respondents (49 percent) confirm their organization experienced a data breach caused by one of their vendors, but 16 percent are unsure.

• The number of cybersecurity incidents involving third parties is increasing: 73 percent of respondents see the number of cybersecurity incidents involving vendors increasing; Sixty-five percent of respondents also say it is difficult to manage cybersecurity incidents involving vendors. 

• Respondents admit they are sharing sensitive data with third parties that might have poor security policies: 58% of respondents say they are not able to determine if vendors' safeguards and security policies are sufficient to prevent a data breach; Only 41 percent of respondents say their vendors' data safeguards and security policies and procedures are sufficient to respond effectively to a data breach.

• Companies need to strengthen the governance practices of their vendor management programs: Only 31 percent of respondents rate the effectiveness of their vendor risk management program as highly effective; Only 38 percent of respondents say their organizations establish and track metrics regarding the effectiveness of the vendor risk management program and less than half (48 percent) have a vendor risk management committee.

• Boards of directors are not involved in third-party risk management programs: 62 percent of respondents say their board of directors does not require assurances that vendor risk is being assessed, managed or monitored appropriately or they are unsure.

The [24]7.ai incident is a reminder how important it is to consider not only the security posture of third-party providers, but also the obligations they have in place with you to respond and inform when such an incident is identified.