Bot-ched security: Chat system hacked to slurp hundreds of thousands of Delta Air Lines, Sears customers' bank cards
Hi! How may we pwn you today?
Hackers are feared to have swiped sensitive personal information held by two of the best known companies in the US – after malware infected a customer support software maker.
Both Sears and Delta Air Lines said Wednesday that hundreds of thousands of customers' payment card numbers, expiration dates, and CVV security codes, were potentially extracted by the malware and siphoned to its masterminds.
The cyber-heist was traced to an infection at 7.ai, a Silicon Valley biz specializing in chat and customer service bots that help punters perform, among other things, credit card purchases.
"The incident began on Sept 26, and was discovered and contained on Oct 12, 2017," 7.ai said in its confession on Wednesday.
"We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers' online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed."
Sears says crooks got their hands on under 100,000 of its customers payment card details, while Delta estimates that "several hundred thousand" flyers probably had their payment card details lifted.
"While we believe we have identified with some precision the transactions that could have been impacted, we cannot say definitively whether any of our customers’ information was actually accessed or subsequently compromised," Delta said.
So far, no other personal information was believed to have been accessed. Sears notes that customers who made online purchases during the infection period (September 27 to October 12) using a Sears-branded credit card were not impacted. Brick-and-mortar store purchases were also safe from the intrusion.
The incident underscores what has become an overlooked, but very important, risk factor for enterprises; partners who have access to customer data. In addition to securing their own systems, companies are increasingly going to have to do their homework on the third-parties they choose to handle customer information.
Perhaps the best example is the disastrous 2013 data theft at Target, in which the sales terminal malware that stole details on 40 million customer payment cards was eventually traced back to credentials stolen from the chain's air conditioning provider. ®