Delta Air Lines’ chat vendor discloses 6-month-old data breach

The payment data of a “small subset” of Delta Air Lines customers may have been exposed when [24]7.ai, the vendor of the airline’s chat function, was hacked.

The incident occurred between Sept 26 and Oct. 12, 2017, but [24]7.ai did not inform Delta until March 28.

In turn, Delta made the incident public a week later.

Delta would not comment on the reasons for the timing of either disclosure, but it offered a timeline of related events on its website.

On Oct. 12, [24}7.ai discovered and contained the breach, which affected only payment data of customers who used Delta’s chat function on either its website or mobile app.

Other personal data, such as passwords or Social Security numbers, were not exposed.

During the following months, the San Jose, Calif., vendor worked with law enforcement to investigate the cause of the breach.

When Delta learned of the incident in March, it began working with [24}7.ai to gauge any potential impact the incident had on its customers or systems.

“We also engaged federal law enforcement and forensic teams, and have confirmed that the incident was resolved by [24]7.ai last October.”

Delta said it could not confirm whether any customer data were, in fact, exposed in the hack.

Out of an “abundance of caution,” however, it shut down the chat function and offered free protection services to customers who feel they may be at risk.

That and other information is available at a dedicated website here.

Sears and Best Buy say their customers may also have been affected.

Bills to require companies to disclose data breaches within in a certain time have been introduced in the US Congress from time to time, but the efforts – generally backed by Democrats – have stalled.

Several states, however, have passed laws requiring timely disclosure.

Florida allows companies to report within 30 days, the tightest window.

Under the European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, companies will have 72 hours to disclose data breaches.

Henry Harteveldt, chief analyst at Atmosphere Research in San Francisco, said companies need to pay close attention to the laws governing disclosures.

“You don’t have four or five months to report these things. In this digitally based commercial environment, you won’t have four or days.”

Share on FacebookTweet about this on TwitterShare on LinkedInEmail to someone
 
 
Michele McDonald

About the Writer :: Michele McDonald

Michele McDonald is a senior editor at tnooz. She has worked as a journalist covering the travel industry for more than two decades. She is a former managing editor of Travel Weekly (US) and former editor-in-chief of Travel Distribution Report. In 2002, she founded Travel Technology Update, a newsletter for distribution professionals. She remains editor and publisher of Travel Technology Update. She also contributes to Air Transport World.

 

Comments

Your email address will not be published. Required fields are marked *

No one has commented yet. be the first!

 
 

Newsletter Subscription

Please subscribe now to Tnooz’s FREE daily newsletter.

This lively package of news and information from Tnooz’s web site provides a convenient digest of what’s happening in technology that drives the global travel, tourism and hospitality market.

  • Cancel