SoylentNews

Data Breach Affects Hundreds of Thousands of Delta Air Lines Customers [Updated]

posted by chromas on Friday April 06 2018, @05:18PM   
from the cyberhaxx dept.

[Updated (2018-04-06 22:18 UTC): According to a report at c|net, the breach also affected: Sears, Kmart, and now Best Buy, too. --martyb]

takyon writes:

Delta Says Data Exposed for 'Several Hundred Thousand' Customers

Delta Air Lines Inc. said a cyber attack on a contractor potentially exposed the payment information of "several hundred thousand customers."

A data breach from Sept. 26 to Oct. 12 at a company called [24]7.ai allowed unauthorized access to customers' names, address, payment-card information, CVV numbers and expiration dates, Delta said in a statement Thursday. The vendor, which provides online chat services to Delta, notified the carrier and other clients last week.

[...] Delta said it wasn't yet able to say how many customers actually had their data stolen. The information was at risk if a customer entered data manually online to complete a payment transaction, Delta said. Data from customers who used a program called Delta Wallet weren't compromised.

Delta statement and response website.

Also at The Verge.

---

Original Submission

• Complete fail... Complete fail... (Score: 0) by Anonymous Coward on Friday April 06 2018, @06:04PM (2 children)

  by Anonymous Coward on Friday April 06 2018, @06:04PM (#663496)

  allowed unauthorized access to customers' names, address, payment-card information, CVV numbers and expiration dates

  What!??! Do these companies not even read the PCI-DSS standards? To get that level of information the data could not have been encrypted, the keys were completely unsecured, and/or they have apps that provide clear text versions of that information in a completely insecure way. PCI-DSS is check-box security, but it's also a wonderful starting place for companies who handle payment information. The fact they failed so miserably is horrible.

• Re:Complete fail... (Score: 3, Insightful) by Virindi on Friday April 06 2018, @06:11PM

  by Virindi (3484) on Friday April 06 2018, @06:11PM (#663499)

  Isn't the whole nature of "checkbox security" like this to evolve into, "if you pay enough to come up with rationalizations you can do anything"?

  Like the building code, Joe Blow building his house gets dinged for completely safe deviations from the listed code requirements. But, SuperDeveloper can build a structure with crappy materials and as long as they have a "close relationship" with the inspector and the thing doesn't actually collapse and kill people, nobody cares.

  Parent

• Re:Complete fail... (Score: 0) by Anonymous Coward on Friday April 06 2018, @06:57PM

  by Anonymous Coward on Friday April 06 2018, @06:57PM (#663517)

  More information from the Delta response webpage.

  We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.
  No other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.

  Malware in the third party chat app on the Delta.com website had access to this information as customers were entering it on the webpage. This is why PCI-DSS is only a starting place and companies need to go beyond it to provide a safe experience for their customers. Like others have said, the minimum standard is the *minimum*. Like getting the lowest possible passing grade in school. You passed, but you shouldn't be proud of it.

  Parent