It has been revealed that the cyberattack the American airline Delta suffered last year may have exposed customer payment information. The airline said the incident involved (24)7.ai, a chat-services provider used by Delta and other companies. Delta says only “a small subset” of customers were affected, with payment information exposed from Sept. 26 to Oct. Security experts commented below.
Martin Jartelius, CSO at Outpost24:
How should Delta handle to breach?
As this relates to a PCI certified environment, the task of foresic investigations is with the card brands. The important part now is to handle the customer relations with transparency, and also to review the trusts between their own organization and their service providers.
As there is a known period the breach occurred, it is of course of importance to find out how it was possible for it to occur and how to prevent it from recurring.
What should customers do?
The breach occurred last year and remain undetected until a week ago. Customers should always be attentive to their card transactions. Depending on the maturity of security delivered by issuing banks, it is for example possible to block cards for card-not-present transactions without further authorization from the cardholder – however this does not hold true for all banks of geographical regions. As a customer, demand to be either be protected from damage, or provided adequate technical protection by your card issuer.
Do you have any comments around the payment platform that exposed the details?
Delta, as any other organization hosting web content, must consider that any instance when logic flows from one application to another, there is a transfer of trust – trust you have with your clients which is based on your brand and your relationship with your customers. This breach had its primary incident not with Delta, but with their partner – Yet it is stated as an issue affecting Delta. This is the reason understanding your entire digital eco-system ranging from outsourced processes to “cross domain” included scripts, including ad-networks, allows someone else to interact with your customers based on the trust those invest in you. And that also means, a good part of the negative impact of a breach with a partner will reflect back on that trust.
One should also note that this is a certified organization which have been through reviews and testing – Security is a continuous process, and compliance is not a guarantee of security. As long as banks hold their clients damage free, we can accept the current level of security. If consumers are to shoulder the costs or responsibility, much is still to be done regarding rather basic security in the payment card industry.
Craig Young, Computer Security Researcher at Tripwire:
“There are some interesting questions to ask in response to this disclosure. Why was the breach window so short? Were the attackers discovered and booted back in October? If so, why is it that we are only learning of the breach nearly six months later? If not, how can (24)7.ai be so confident of the scope of the breach? Were payment card providers notified sooner? Time is a critical factor for preventing fraud whenever there is a breach of financial data. Delta has assured customers that they won’t be held responsible for fraudulent charges but it seems likely that if fraudulent charges related to this have not already been identified, there is little hope that they will ever be connected to this breach.”
Lee Munson, Security Researcher at Comparitech.com:
“The cyberattack experienced by Delta highlights the many different facets of a data breach, from the good to the bad, as well as the unknown.
Obviously the big negative here is the fact that customers have potentially had their payment card data swiped, though the unknown factor is whether or not that information was encrypted, or how.
From an incident response point of view, it is a shame to learn to the attack has only now come to light, having occurred and been spotted last year, though we are, of course, unaware of when affected customers were notified.
On a more positive note, no personal information was stolen and Delta was quick to examine the breach and learn lessons from it.
We can only hope that affected customers have been offered appropriate support and advice and are now changing passwords where appropriate and examining credit reports with a keen eye.”
Satya Gupta, Co-Founder and Chief Technology Officer at Virsec:
“Once again, another breach raises troubling questions about why current security defenses are failing, and why organizations are dragging their feet with public breach notification. The company says it was notified in mid-March, yet the breach occurred six months earlier and was “quickly resolved.” Whether it’s a company or sub-contractor, the first impulse when a breach is discovered seems to be stalling and hoping it will not go public.
More broadly, we continue to rely on an outdated security model – protecting a porous perimeter, while hackers are often already inside, waiting to exploit vulnerabilities that may dwell for months. The focus has to shift to directly protecting applications and critical data – not relying on perimeter protection which is rapidly disappearing.”
Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:
“Delta Air was not directly breached, it was affected by a third-party vendor breach. We saw this vector in play earlier this week with the Energy Transfer Partners third-party EDI breach.
It is no longer enough for large companies to only protect their own networks and internal systems from malware. Nowadays, business is conducted with the help of third-party service companies that provide savings by solving a piece of the puzzle for big companies, like online transaction support, for instance. In such cases, the third-party vendor increases the attack surface and the risk of a cybersecurity breach for the enterprise.
Third parties have been the vector of attack in many high-profile breaches and I anticipate this trend will continue. In recent years, 63 percent of breaches were traced to third-party vendors, according to the Soha System’s survey on third-party risk management. If a hacker can breach a company and pretend to be a legitimate vendor, they may have full access to a company’s network for months; plenty of time to monetize their attack.
A vendor often serves multiple customers, which can create complications and delays in incident response. It is crucial for companies to audit the security posture of their vendor just as rigorously as they do their own.
7.ai operates global centers that outsource voice and chat agent services for sales and support, providing a channel of communication between their clients and customers. When such a channel is compromised, it can be quite damaging as the attackers can pose as support or sales managers and ask customers to provide sensitive information.”
Anthony James, Chief Marketing Officer at CipherCloud (San Jose, CA):
“It is an all too frequent headline – another high profile company breached with hundreds of thousands of customers’ personal information or credit card data stolen. As with the Sears breach announced today, the 3rd party companies are the weakest link in the security chain. The unfortunate realization that the largest brands are being impacted by their smaller partner companies should inform any organization when they establish their security practices and controls.
The question needs to be asked, who are our partners, what are their security practices, what data are we sharing, and what systems will they have access to? In this example, 7.ai – the software service provider for Sears (and many other large retail and airline brands) – became the source for the breach exposing customer credit card data.
With data being the core asset cyber thieves are targeting, new approaches to data protection need to be implemented. There are plenty of new technology approaches to secure data when it is at rest, in flight and in use. These strategies need to be implemented when companies have access to critical customer data.”
Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks:
“The fact that these two breaches have been discovered in September and March, respectively, means there may be a systemic issue that has been present for at least the past six months within the area of compromise.
It is important to understand that this breach is different from some past breaches, such as Target, where the third-party vendor was a vehicle for an intrusion into the final victim’s own network. In the case of SaaS offerings, a threat actor may not even need to breach your network, siphoning off your data directly from the third-party vendor that you do business with instead. In other words, it is just as important to assess the security posture of a vendor you allow into your network as a vendor you exchange information with to provide you with a service. At the end of the day, it’s companies like Delta Air and Sears that end up in the news, not so much the third-party vendor.”