Once again, a third-party vendor may have exposed sensitive credit card information of hundreds of thousands of Delta Air Lines and Sears. The attack shows the vulnerability to reputation and risk from attacks on third party vendors.
The company, [24]7.ai, a customer services company, says that it was a malware attack in late 2017 that made the attack possible.
Both Sears and Delta pointed the blame soundly, and apparently rightfully so, at [24]7.ai. Both Sears and Delta said that [24]7.ai didn’t inform them of the breach until very recently.
Here’s Delta’s response:
On March 28, Delta was notified by [24]7.ai, a company that provides online chat services for Delta and many other companies, that [24]7.ai had been involved in a cyber incident. It is our understanding that the incident occurred at [24]7.ai from Sept. 26 to Oct. 12, 2017 and that during this time certain customer payment information for [24]7.ai clients, including Delta, may have been accessed – no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.
Here's the statement from Sears:
[24]7.ai, a company that provides online support services to Sears and Kmart, notified us, as well as a number of other companies, that they experienced a security incident last fall. We believe this incident involved unauthorized access to less than 100,000 of our customers’ credit card information. As soon as [24]7.ai informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms.
As a result of that investigation, we believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised.
Disappointingly, while cruising over [24]7.ai’s website www.247.ai, I couldn’t find any information about the breach. There was plenty of information about AI and customer service, virtual agent benefits, competitive analysis, and links to charitable news coverage. It’s apology or culpability for a breach of several hundred thousand customers? How the company will avoid such outcomes in the future? Nope. If such information is on the company’s website, I couldn’t find it.
Will customers of Sears and Delta hold [24]7.ai responsible? No. They are going to hold Sears and Delta responsible. This shows while it’s possible to outsource risk, it’s not possible to outsource responsibility — not in the eyes of the customers.
While many enterprises I interview do have a process to vet the security of third parties, too many actually do not. I’d say about half do not. This is interesting despite the steady news of third-party security breaches. As more enterprises outsource non-core services to third party providers, it’s important that the contracts with external vendors include security checks.
In a survey conducted two years ago by the Ponemon Institute for BuckleySandler LLP and Treliant Risk Advisors LLC found that More than a third of businesses "do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred,"
At least [24]7.ai proved late is (somewhat) better than never.
That survey also found that while 37 percent of respondents did not believe that they would be notified by their third-party vendors, a very high 73 percent did not think that fourth-nth vendors [indirect service providers or subcontractors hired by a third-party vendor] would notify the parties unpon identifying a data breach.
That survey also highlighted third-party risks that remain true:
The [24]7.ai incident is a reminder how important it is to consider not only the security posture of third-party providers, but also the obligations they have in place with you to respond and inform when such an incident is identified.
tags
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.
View all postsDon’t miss out on exclusive content and exciting announcements!