Thanks for joining us for the second installment of After the Hack, where we break down a handful of infamous hacks. For each hack, we’ll discuss what happened, how it happened, and what lessons were learned.
If you’re joining us for the first time, don’t forget to check out last week’s post on the 2012 LinkedIn hack.
This week, we’re going to take a look into Delta Airline’s latest data breach.
So, what happened to Delta?
From September 26 to October 12, 2017, 7.ai, Delta’s online customer services vendor, accidentally exposed the credit card information of hundreds and thousands of Delta customers. The 7.ai leak was the result of malware.
No other types of customer personal information, such as passport, government ID, security or SkyMiles information was impacted. The hackers only had access to certain customer payment information.
But rather than telling Delta right away, 7.ai kept quiet about the breach.
Delta said it found out about the attack on March 28, 2018. That’s almost SIX months after the fact.
In response, Delta created a website offering customers information about the security breach.
According to a public statement made by Delta, Delta directly contacted customers whose payment data was compromised by the cyber incident. If customer payment cards were used fraudulently as a result, Delta “[would] ensure [its] customers are not responsible for that activity.”
Let’s back up a minute. What is 7.ai?
7.ai is a third-party vendor that provides online chat services. Delta, along with a couple other big-name companies (Sears, Kmart, Best Buy), used 7.ai’s chat service. This isn’t too uncommon. Customer service chat functionalities are often outsourced to a third-party.
The chat service allows customers to converse easily with Delta representatives in order to find a solution to their problem.
So, how did 7.ai and Delta get hacked?
7.ai were victims to a malware campaign. Malware is software designed to cause damage to a computer, server, or computer network. Once implanted, malware can take the form of executable code, scripts, active content, and other software. As a result, malware can be many things–like a Trojan horse, ransomware, spyware, and viruses.
And while the data breach itself occurred on 7.ai’s end, multiple companies, including Delta and Sears were affected.
The malware resided in 7.ai’s chat service. Once a Delta customer completed a transaction in the chatroom, their payment card details became accessible to the hackers. Delta customers who did not use the chat tool were not compromised.
7.ai did not disclose where the malware came from or how it got installed on their network.
The legal aftermath.
In June 2018, a class action lawsuit was filed against Delta. The lawsuit claims that the company did not notify its customers soon enough.
The Lead plaintiff, Teresa McGarry states, “Despite the hack occurring six months prior, Delta customers were not notified of the breach of their sensitive information until April 2018.”
“Their [personally identifiable information] was available to hackers for six months without their knowledge. Data thieves had use of customers’ PII during this time while Delta customers were totally unaware” alleges the Delta class action lawsuit.
The Delta data breach class action lawsuit argues that the airline and online chat provider should have protected consumer information better, especially in light of recent major data breaches at large companies.
Likewise, 7.ai is facing its own class action lawsuit. The lawsuit claims that 7.ai collected personal customer data while customers used their chat service. It also claims that the chat company failed to notify affected customers in a timely fashion.
What about the hacker?
There is no information on who the hacker is. We can assume that the hacker or group of hackers is/are still at large.
Takeaways for SMB owners.
Using the 7.ai and Delta data breach as a case study, here are our five big takeaways for SMB owners:
1. Your company’s security is only as good as its partners’ security.
Mistakes by a third-party provider can expose your company’s data to hackers. A third-party’s lousy security can provide easy entry points for attackers and malware campaigns.
Before you partner with a third-party vendor, you should conduct due diligence and make sure proper controls are in place to limit and secure what that third-party vendor has access to.
2. Third-party vendors are targets.
The 7.ai breach shows how companies’ digital ecosystems are intertwined with one another. That’s why attacks on third-parties are so prevalent.
Another good example of a third-party hack is the massive Target data breach in 2013. Hackers stole login credentials to one of the retailer’s billing systems from one of its air conditioning contractors.
3. Work with each of your third-party providers to understand their security protocols.
Organizations must understand that vendors are a major risk factor if they have access to customer data. Therefore, you MUST talk about security with your vendor. You MUST understand what their security protocols are.
And depending on your customer base and the types of data you collect and maintain, you may want to only partner with companies that have SOC reports.
SOC stands for system and organization controls, and the controls are a series of standards that measure how well a given service organization conducts and regulates its information.
4. Have a vendor compliance policy for all vendors.
How do you know if your providers are keeping their end of the bargain? Well, it all starts with having a direct conversation with them to make sure their services meet or exceed your company’s vendor compliance policy.
In the past, managing vendor compliance via a contract was adequate. But now, compliance demands a full chain of custody. An effective vendor compliance policy should include:
- Policies and procedures that outline compliance and security training for vendors.
- Contractual agreements with vendors that provide a clear definition of compliance and security expectations.
- A remediation plan for compliance issues.
5. Conduct regular security assessments.
As shown in this example, 7.ai didn’t inform Delta about the data breach until months later. This goes to show, you can’t always trust your third-party providers to keep you in the loop.
At least every quarter, you should conduct security assessments on your company’s network. To truly understand your security posture, you must look at everything from every angle. An assessment will review the overall network health and expose different data-loss and security loopholes. At the end of your assessment, you’ll be able to know where the weak spots are in your network security, data backup, and third-party providers.