Delta Airlines sues [24]7.ai over 2017 data breach

Those with good memories may recall that in April, 2018, we learned that hundreds of thousands of customers of Delta Airlines, Sears, Kmart, and BestBuy were impacted by a breach involving [24]7.ai – a California headquartered service that provides online customer chat for their clients’ web sites.

The breach occurred between September 26 and October 12 of 2017, but Delta wasn’t notified until March, 2018.  Needless to say, consumers weren’t happy about delayed notification, and in June, 2018, a class action lawsuit was filed against Delta in the Northern District of Georgia.

Now Delta is suing [24]7.ai and 24/7 Customer Philippines Inc.  The suit was filed in the Southern District of New York.

The complaint alleges that despite numerous representations the defendants made about how they would secure data, only months later, the defendants allowed at least one third party attacker “unfettered access to  Defendants’ computer systems from September 26, 2017 through October 12, 2017.”

The complaint alleges that the attacker(s) were able to

exploit Defendants’ insufficient user authentication protocols in order to log in to [24]7’s computer system using all-access [24]7 employee credentials.

After accessing [24]7’s computer systems, the attacker then modified [24]7’s source code so that tags Defendants had placed on Delta’s website not only monitored visitor activity and facilitated the [24]7 chat function, but also “scraped” customer Personally Identifying Information (“PII”) and payment card data inputted by Delta’s customers via Delta’s website and transmitted that data to a third party, presumably a website under the attacker’s control.

More specifically, the complaint alleges that the Defendants:

a. Allowed numerous employees to utilize the same login credentials;
b. Did not limit access to the source code running the [24]7 chat function to only those individuals who had a clear need to access that code;
c. Did not require the use of passwords that met PCI DSS and other industry minimum standards;
d. Did not have sufficient automatic expiration dates for login credentials and passwords with access to sensitive source code; and,
e. Did not require users to pass multi-factor authentication prior to being granted access to sensitive source code.

The complaint states that based on Delta’s investigation to date,  the attacker was potentially able to exfiltrate the names, addresses, and payment card information of approximately 800,000 to 825,000 U.S. Delta customers who inputted that information via Delta’s website, www.delta.com.

To make matters worse, Delta alleges, they were not notified promptly of the breach nor given adequate information that would enable them to communicate with their customers:

Despite the existence of established (and contractually mandated) channels of communication between [24]7 and Delta, when [24]7 finally reached out to Delta about the Data Breach, it did so through the LinkedIn pages of individual Delta and [24]7 employees.

Even when [24]7 finally issued an official communication, it too was short and inadequate. [24]7 provided just three sentences about the [24]7 breach on the [24]7 website.

To this day, no employee or other representative of 24/7 Philippines has provided Delta formal detailed notice of the Data Breach.

Defendants’ failure to provide timely, complete information hindered Delta’s ability to proactively address the breach and communicate with its customers about the incident, thereby exacerbating Delta’s costs in responding to the Data Breach.

[24]7.ai was contacted via both their web site and their media contact email address early ftoday to ask for a comment on the lawsuit, but this site has received no reply as of the time of publication. This post may be updated if a reply is received.

About the author: Dissent