A vendor that provides online chat services for customer acquisition and engagement appears to be the common thread in breaches disclosed Wednesday by Delta Air Lines Inc. and Sears Holdings Corp.
The service provider is [24]7.ai Inc., a San Jose, Calif.-based company that provides services like virtual chat agents and analytics. In a statement, the company said the breach began Sept 26, but was discovered and “contained” on Oct. 12. It notified law-enforcement agencies and said it is cooperating with the investigation.
Other clients of [24]7.ai may have been affected. The company says a “small number of our client companies” were affected. So far, however, only Delta and Sears are publicly known.
Hoffman Estates, Ill.-based Sears, which also owns Kmart, said [24]7.ai told it of the breach in mid-March. The breach involved access to credit card information for less than 100,000 of its customers, Sears says. Sears puts the dates its customers could have been affected between Sept. 27 and Oct. 12. Those using a Sears-branded credit card were not affected, the retailer says.
“In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible. [24]7.ai has assured us that their systems are now secure,” a Sears statement says.
Atlanta-based Delta said customer payment information was exposed to the criminals between Sept. 26 and Oct. 12. Delta said no other personally identifiable information, such as passport, government identity, security, or SkyMiles (its rewards program) was affected.
Like Sears, it has worked with law-enforcement agencies and forensic investigators. “At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers’ information was actually accessed or subsequently compromised,” Delta says in a statement.
Delta will launch a dedicated Web site (Delta.com/response) Thursday to provide updates about the incident. “We will also directly contact customers who may have been impacted by the [24]7.ai cyber incident. In the event any of our customers’ payment cards were used fraudulently as a result of the [24]7.ai cyber incident, we will ensure our customers are not responsible for that activity.”
In other data-protection news, ControlScan, which provides security and compliance services, launched PaySafe Connect. This managed-security service provides PCI data-security standard compliance for standalone point-of-sale terminals, ControlScan says.
Atlanta-based ControlScan says merchants using standalone POS terminals must annually self-attest their PCI compliance and the PaySafe Connect service provides a way to meet firewall requirements and bolster security. The service is available to ControlScan resellers.