Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Friday April 06 2018, @05:18PM   Printer-friendly
from the cyberhaxx dept.

[Updated (2018-04-06 22:18 UTC): According to a report at c|net, the breach also affected: Sears, Kmart, and now Best Buy, too. --martyb]

Delta Says Data Exposed for 'Several Hundred Thousand' Customers

Delta Air Lines Inc. said a cyber attack on a contractor potentially exposed the payment information of "several hundred thousand customers."

A data breach from Sept. 26 to Oct. 12 at a company called [24]7.ai allowed unauthorized access to customers' names, address, payment-card information, CVV numbers and expiration dates, Delta said in a statement Thursday. The vendor, which provides online chat services to Delta, notified the carrier and other clients last week.

[...] Delta said it wasn't yet able to say how many customers actually had their data stolen. The information was at risk if a customer entered data manually online to complete a payment transaction, Delta said. Data from customers who used a program called Delta Wallet weren't compromised.

Delta statement and response website.

Also at The Verge.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Informative) by datapharmer on Friday April 06 2018, @06:01PM (2 children)

    by datapharmer (2702) on Friday April 06 2018, @06:01PM (#663494)

    And why was it they were storing the CVV exactly? According to PCI rules "Sensitive authentication data must never be stored after authorization – even if this data is encrypted."
    See https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf/ [pcisecuritystandards.org] (warning: PDF)

  • (Score: 0) by Anonymous Coward on Friday April 06 2018, @06:04PM (2 children)

    by Anonymous Coward on Friday April 06 2018, @06:04PM (#663496)

    allowed unauthorized access to customers' names, address, payment-card information, CVV numbers and expiration dates

    What!??! Do these companies not even read the PCI-DSS standards? To get that level of information the data could not have been encrypted, the keys were completely unsecured, and/or they have apps that provide clear text versions of that information in a completely insecure way. PCI-DSS is check-box security, but it's also a wonderful starting place for companies who handle payment information. The fact they failed so miserably is horrible.

    • (Score: 3, Insightful) by Virindi on Friday April 06 2018, @06:11PM

      by Virindi (3484) on Friday April 06 2018, @06:11PM (#663499)

      Isn't the whole nature of "checkbox security" like this to evolve into, "if you pay enough to come up with rationalizations you can do anything"?

      Like the building code, Joe Blow building his house gets dinged for completely safe deviations from the listed code requirements. But, SuperDeveloper can build a structure with crappy materials and as long as they have a "close relationship" with the inspector and the thing doesn't actually collapse and kill people, nobody cares.

    • (Score: 0) by Anonymous Coward on Friday April 06 2018, @06:57PM

      by Anonymous Coward on Friday April 06 2018, @06:57PM (#663517)

      More information from the Delta response webpage.

      We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.
      No other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.

      Malware in the third party chat app on the Delta.com website had access to this information as customers were entering it on the webpage. This is why PCI-DSS is only a starting place and companies need to go beyond it to provide a safe experience for their customers. Like others have said, the minimum standard is the *minimum*. Like getting the lowest possible passing grade in school. You passed, but you shouldn't be proud of it.

  • (Score: 5, Insightful) by Virindi on Friday April 06 2018, @06:07PM (5 children)

    by Virindi (3484) on Friday April 06 2018, @06:07PM (#663497)

    What is the endgame here? These "data breaches" seem to be accelerating, and bigco and their customers seem to care less and less when they happen ("that's just the status quo"). How is this trend going to go into the future?

    Do "data breaches" actually matter? Or are banks just getting good enough at reissuing cards etc that it will just have minor consequence?

    I note that they didn't mention SSNs being leaked here. But it seems to me that something has to give when it comes to identity verification, like with respect to getting loans or filing taxes. A situation where tens to hundreds of thousands of people are getting scammed cannot continue without demands for fixing the system. It seems like some kind of tightened identity verification is the next logical step.

    Of course, the cynical would say that the masters of the universe will use this crisis to further lock every citizen into some kind of identity 'card' to better track the population. Perhaps something biometric?

    • (Score: 3, Interesting) by c0lo on Friday April 06 2018, @06:48PM (2 children)

      by c0lo (156) Subscriber Badge on Friday April 06 2018, @06:48PM (#663513) Journal

      These "data breaches" seem to be accelerating, and bigco and their customers seem to care less and less when they happen ("that's just the status quo"). How is this trend going to go into the future?

      They'll certainly stop when Trump's tax records will be breached.
      Now, that's an idea... how hard can it be?

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
      • (Score: 0) by Anonymous Coward on Friday April 06 2018, @11:08PM (1 child)

        by Anonymous Coward on Friday April 06 2018, @11:08PM (#663583)

        Maybe the left can embarrass themselves again. http://www.breitbart.com/big-journalism/2017/03/14/epic-fail-rachel-maddow-mocked-after-dragging-out-trump-tax-scoop/ [breitbart.com]

        I remember the 'watch parties' for it. It was amazing how everyone sat around with baited breath hopping the fail they were promised would occur before their eyes. Instead he paid more in 1 year than the other candidates put together for their lifetimes.

        • (Score: 2) by c0lo on Saturday April 07 2018, @12:24AM

          by c0lo (156) Subscriber Badge on Saturday April 07 2018, @12:24AM (#663597) Journal

          how everyone sat around with baited breath

          Must have been an awful smell around, everybody exhaling an odour of fishing bait. Halitosis, I think is called, yeah?
          . [lascribe.net]

          --
          https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 3, Insightful) by Thexalon on Friday April 06 2018, @09:52PM

      by Thexalon (636) on Friday April 06 2018, @09:52PM (#663553)

      Do "data breaches" actually matter?

      It depends on who you're asking.

      Do they matter to the people whose data was breached? Yup, they do, because it means they could have lost a bunch of money without realizing it, and/or had their identity stolen. That second one in particular cannot be fixed by re-issuing a credit card, nor by offering identity protection insurance for a particular length of time (because the thieves can always use the data after the length of time is up).

      Do they matter to the company who goofed and lost the data? Not really. And here's your proof [yahoo.com]: As soon as the noise dies down and a likely-innocent junior-level scapegoat is punished, everything is business as usual. That's why companies who experience breaches treat the situation first and foremost as a public relations problem, not a technical problem.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
    • (Score: 2, Interesting) by Anonymous Coward on Saturday April 07 2018, @12:14AM

      by Anonymous Coward on Saturday April 07 2018, @12:14AM (#663591)

      > I note that they didn't mention SSNs being leaked here.

      Is there even a need for that anymore? They can just correlate it with the Equifax data, which AFAIK already contains SSNs for almost the entire adult population of the US. At this point, leaking SSNs is kind of redundant. Maybe the data set even had them, but the hackers just weren't interested :)

  • (Score: 3, Funny) by bob_super on Friday April 06 2018, @07:18PM (2 children)

    by bob_super (1357) on Friday April 06 2018, @07:18PM (#663522)

    We need a Today's Breach nexus.
    This is getting so systematic and depressingly unpunished, some people will soon want to turn it off like they bypass Politics, Gender studies publications, or Vegan Ramblings.

    • (Score: 3, Funny) by takyon on Friday April 06 2018, @07:40PM (1 child)

      by takyon (881) <takyonNO@SPAMsoylentnews.org> on Friday April 06 2018, @07:40PM (#663525) Journal

      But if you turn off Vegan Ramblings, you might get shot up.

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
      • (Score: 2) by bob_super on Friday April 06 2018, @08:56PM

        by bob_super (1357) on Friday April 06 2018, @08:56PM (#663545)

        Whether you get shot or not, you successfully get rid of Vegan Ramblings.
        So, in all cases, you get to enjoy a much-improved environment.

(1)