Now Delta Airlines and Sears Corporation
Both been notified of a data breach that has exposed the credit card information of some 100,000 Sears customers and "hundreds of thousands" of Delta customers.
Neither Delta nor Sears was breached directly. A live chat service called [24]7 (used by both companies), was breached, allowing access to Sears and Delta customer data including credit card numbers, CVV numbers, expiration dates, and cardholder names.
There are several wrinkles and interesting pieces of information that go hand in hand with this news.
Diagram of breach mismanagement
First, if a customer has a Sears-branded credit card, their data was definitively not compromised. Second, according to [24]7, the breach of their system occurred on September 27, 2017, but the incident was not reported to either Sears or Delta until five months after the incident occurred.
Attempts to reach out to [24]7 to discover why it took them five months to notify their impacted customers have been met with silence. All the company will say about the matter is that the investigation is ongoing.
For their part, both Sears and Delta have been handling the fallout from the incident as well as can be expected. They're in the process of notifying impacted customers, and free credit monitoring will be offered.
The key problem, however, is this: Since [24]7 waited five full months to notify Sears and Delta, any fraudulent charges that may have been made on customer credit cards have likely already been made. In addition, linking them to the breach at this point is going to be an uphill battle to say the least.
Security researcher Craig Young, who has been following the issue, had this to say:
"Time is a critical factor for preventing fraud whenever there is a breach of financial data. Delta has assured customers that they won't be held responsible for fraudulent charges, but it seems likely that if fraudulent charges related to this have not already been identified, there is little hope they will ever be connected to this breach."
Our perspective
Indeed, [24]7's handling of the incident is a classic example of how not to handle an incident like this.
Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available at dwpia on LinkedIn, at dwpia on Facebook, and @dwpia on Twitter.
Denis S Wilson
I am President and Principal Consultant for DWP Information Architects: specializing in managed IT support for smaller, fast-growth companies in Greater Los Angeles. And have created cost-effective IT solutions, including managed IT support systems, for small business for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with organizations that include: the State of California, the Federal Bureau of Investigation (FBI), the Small Business Administration (SBA), SCORE, Women's Business Centers, and Small Business Development Centers. As well as providing small business technology education programs to business and professional associations.
Check out this blog post
"Cyber Security Check List That Will Underscore Your Potential Business Risks"
