Data Hits Keep Coming With Delta & Sears Breaches

“The hits keep coming” as Casey Kasem would say. But these data hits, the latest affecting Sears and Delta Air Lines, do not reach for the stars, just customer information.

The Hoffman Estates, Ill.-based department store chain and Atlanta-based airline, disclosed Wednesday the possible exposure of personal and payment information as part of a data breach at Campbell, Calif.-based software provider [24]7.ai.

According to a published reports, [24]7.ai, which provides online support services, notified Sears mid-March of unauthorized access of credit card information for less than 100,000 customers. [24]7.ai said the breach happened about Sept. 26, 2017 and reached resolution on Oct. 12. Sears noted the breach did not affect its stores, internal systems or Sears branded credit cards.

Meanwhile, Delta Air Lines said only “a small subset” of customers had payment information exposed.

The latest breach headline comes on the heels of the Cambridge Analytica/Facebook misuse of personal information that may have involved the information of 87 million users of the social media site; the Panera Bread web site exposure of as many as 7 million customer records; and Saks and Lord & Taylor leak of 5 million credit card accounts at their POS.

As with the previous incidents there many questions but few answers in the Delta/Sears breach.

Craig Young, computer security researcher for Portland, Ore.-based Tripwire’s vulnerability and exposure research team, said, “There are some interesting questions to ask in response to this disclosure. Why was the breach window so short? Were the attackers discovered and booted back in October? If so, why is it that we are only learning of the breach nearly six months later? If not, how can (24)7.ai be so confident of the scope of the breach? Were payment card providers notified sooner?” He added, time is a critical factor for preventing fraud whenever there is a breach of financial data. “It seems likely that if fraudulent charges related to this have not already been identified, there is little hope that they will ever be connected to this breach.”

Satya Gupta, co-founder and CTO at San Jose, Calif.-based Virsec asserted, “Once again, another breach raises troubling questions about why current security defenses are failing, and why organizations are dragging their feet with public breach notification.” Gupta added, “Whether it is a company or sub-contractor, the first impulse when a breach is discovered seems to be stalling and hoping it will not go public.”

Lee Munson, security researcher at U.K.-based Comparitech offered, “The cyberattack experienced by Delta highlights the many different facets of a data breach, from the good to the bad, as well as the unknown. Munson added from an incident response point of view, it is a shame to learn the attack only now came to light, since it occurred last year. “Though we are, of course, unaware of when affected customers were notified.”

John Buzzard, industry fraud specialist for Rancho Cucamonga, California based CO-OP Financial Services, said, “There is always value in information, so anything lost that links a consumer’s identity in any way is harmful in the long run.” He noted fraudsters could exploit Delta lost card numbers, expiration dates and CVV information. “The affected card population, as with any breach, will need a fraud strategy put into place to reduce the risk associated with this type of data loss. The situation at Panera is slightly different because the affected data ranges from loyalty program customer’s addresses to a truncated payment card number, making this information more abstract and dangerous than a simple card number.”

Buzzard also pointed out, the potential impact to credit unions include at least three things: The threat of phishing, SMiShing, and social engineering by fraudsters seeking to take advantage of the news stories to perpetuate their own scams. Second, card fraud linked to Delta, so CUs should apply reasonable caution and a fraud strategy combined with forthcoming risk reports from VISA and MasterCard. Third, fraud actors contacting the credit union directly such as requests for replacement cards in tandem with change of addresses.