Malware Attack on Vendor To Blame for Delta and Sears Data Breach Affecting 'Hundreds of Thousands' of Customers (gizmodo.com)

← Back to Stories (view on slashdot.org)

Malware Attack on Vendor To Blame for Delta and Sears Data Breach Affecting 'Hundreds of Thousands' of Customers (gizmodo.com)

Posted by msmash on Thursday April 5, 2018 @06:00AM from the closer-look dept.

Delta Air Lines and Sears Holding on Thursday disclosed a data breach that may have exposed the payment card details of hundreds of thousands of online customers. From a report: The breach originated at a software vendor called [24]7, which provides Sears, Delta, and other businesses with online chat services. Less than 100,000 Sears customers were supposedly impacted, according to Sears. A Delta spokesperson said hundreds of thousands of travelers are potentially exposed. Gizmodo has learned the breach was the result of a malware attack, and that the unauthorized access involved payment card numbers, CVV numbers, and expiration dates, in addition to customers' names and addresses.

In a statement, [24]7 said the breach occurred on September 27th of last year and was contained roughly two weeks later. In a statement, Sears said it was first notified about the breach in mid-March. Credit card companies have been notified, and law enforcement is likewise investigating the incident. "Customers using a Sears-branded credit card were not impacted," Sears said. "In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible."

28 comments

Min score:

Reason:

Sort:

Well, that's interesting... by Trailer+Trash · 2018-04-05 05:45 · Score: 4, Funny

I didn't know Sears still had 100,000 customers.

--
Do you have ESP?
1. Re:Well, that's interesting... by rjune · 2018-04-05 08:28 · Score: 1
  
  Hey! Don't say bad things about Sears. I really like the store at my local mall. The parking lot is always empty so I can park close to the door, cut through the store (don't have to dodge anyone walking around) and get to the store I want to go.
2. Re:Well, that's interesting... by Anonymous Coward · 2018-04-05 08:42 · Score: 0
  
  ROFL, I did exactly that last week.
  And there WAS a parking spot right by the door :O
3. Re:Well, that's interesting... by Trailer+Trash · 2018-04-05 14:51 · Score: 1
  
  You insensitive clods.
  They closed our Sears. So now I have to park farther out and use another door to the mall :(
  
  --
  Do you have ESP?
Breaking News by Anonymous Coward · 2018-04-05 05:45 · Score: 1

Sears has 100,000 customers? Wow!
Correction by Anonymous Coward · 2018-04-05 05:45 · Score: 0

Delta: Hundreds of thousands.
Sears: Tens.
Funny Timing by Rastl · 2018-04-05 05:51 · Score: 2

I was on the Sears site today and it served up a malware ad. So now we know how much they really care about security.
plain english by nimbius · 2018-04-05 05:53 · Score: 4, Insightful

This affected Delta and Sears websites where users entered data on the website to complete a transaction.

We understand malware present in [24]7.ai's software between Sept. 26 and Oct. 12, 2017 made unauthorized access possible for the following fields of information; name, address, payment card number, CVV number, and expiration date during their purchase process if this information was manually entered by the customer and the customer completed the purchase transaction.
Why did it take 5 months to disclose? As a simple hypothesis, I would suggest its because disclosure in November may have had an impact on Deltas ability to generate anticipated levels of revenue in December, a major holiday travel season.

--
Good people go to bed earlier.
1. Re:plain english by Nidi62 · 2018-04-05 06:15 · Score: 1
  
  This affected Delta and Sears websites where users entered data on the website to complete a transaction.
  
  We understand malware present in [24]7.ai's software between Sept. 26 and Oct. 12, 2017 made unauthorized access possible for the following fields of information; name, address, payment card number, CVV number, and expiration date during their purchase process if this information was manually entered by the customer and the customer completed the purchase transaction.
  Why did it take 5 months to disclose? As a simple hypothesis, I would suggest its because disclosure in November may have had an impact on Deltas ability to generate anticipated levels of revenue in December, a major holiday travel season.
  Well, right now it's only a month or 2 away from another, longer major travel season: summer
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
2. Re:plain english by Anonymous Coward · 2018-04-05 06:15 · Score: 2, Informative
  
  Why did it take 5 months to disclose? As a simple hypothesis, I would suggest its because disclosure in November may have had an impact on Deltas ability to generate anticipated levels of revenue in December, a major holiday travel season.
  It was discovered by [24]7 in the fall and according to the article, they sat on the information, not Delta/Sears.
  
  In a statement, Sears said it was first notified about the breach in mid-March.
3. Re:plain english by pr0t0 · 2018-04-05 06:17 · Score: 2
  
  So it sounds like the ad was scraping the form fields, or doing a kind of man-in-the-middle attack on the form page? It's the acceptance of active advertising that opened the door for this type of behavior. The promise of highly targeted advertising based on tracking users across not only your site but the whole of the internet, gets content providers salivating at higher ad rates and willing to let XYZ ad network to run whatever scripts they want on their site.
  How many more stories like this are we going to have to endure before someone figures out a better way to do this? I personally don't feel that anything other than a static image is acceptable for web advertising, and since that seems ever unlikely, I'll happily run script, tracking, and ad blockers and not lose sleep about any content provider's ad-based revenue model...like Slashdot/BizX.
  
  --
  I'm sorry, but your opinion seems to be wrong.
4. Re:plain english by Anonymous Coward · 2018-04-05 06:23 · Score: 0
  
  If 24[7] failed to notify the card issuers for 5 months, they are done as a merchant.
Wonder how many C-levels shorted their stock? by Anonymous Coward · 2018-04-05 05:59 · Score: 0

When ever I see a public notification with a large delay between when it happened and when it came out, it makes me wonder how many people working for the company shorted their stock portfolio.
1. Re:Wonder how many C-levels shorted their stock? by olsmeister · 2018-04-05 06:07 · Score: 1
  
  I doubt they want to fuck around with insider trading charges.
2. Re:Wonder how many C-levels shorted their stock? by ShanghaiBill · 2018-04-05 06:32 · Score: 1
  
  I doubt they want to fuck around with insider trading charges.
  That is why the CEO doesn't short the stock himself. He has his brother-in-law do it.
Everyday bullshit by Anonymous Coward · 2018-04-05 07:11 · Score: 0

Who's going to goddamn jail for this? Fuck this everyday bullshit!
penalties by supernova87a · 2018-04-05 07:31 · Score: 3, Interesting

I keep saying, the following penalty scheme will clean up data breaches right quick:

$1 per name, email, physical address
$2 per phone number
$3 per credit card number
$4 per SSN

And multiply for combinations thereof. You'll see how fast companies move to secure their data.
1. Re:penalties by dgatwood · 2018-04-05 08:29 · Score: 1
  
  Okay. One dollar for the first person, times one dollar for the second, ... times one dollar for the millionth. Perfect. So it will only cost us a dollar to leave things wide open. Sounds good. :-D
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
2. Re:penalties by DigiShaman · 2018-04-05 08:29 · Score: 1
  
  LOL, yeah, right. They wont fucking care. They'll still farm out development to the cheapest H1B staffed bidder. It's a risk assessment. They will simply pay the fine, and pass the loss onto the consumer until the next time. Lather, rinse, repeat.
  IT is a cost center, and consumers of the services are treated like mushrooms - keep them in the dark and feed them shit!
  NOBODY FUCKING CARES!
  
  --
  Life is not for the lazy.
3. Re:penalties by sheph · 2018-04-05 09:01 · Score: 2
  
  Payable to the individual who experienced the loss. I'll never understand how the government fines companies on our behalf, but then none of that money goes toward mitigating the real damage. If your identity is stolen because of it they should be liable for all of the costs to clean it up. Including your time.
  
  --
  I don't believe in karma, I just call it like I see it.
4. Re:penalties by supernova87a · 2018-04-05 10:37 · Score: 1
  
  Per person, duh.
5. Re:penalties by dgatwood · 2018-04-05 10:43 · Score: 1
  
  I know. I just couldn't resist. :-D
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
Ad Nauseum by WinstonWolfIT · 2018-04-05 07:51 · Score: 2

Paypal with 2fa. It's insane to type card details into a website.
1. Re:Ad Nauseum by Anonymous Coward · 2018-04-05 08:26 · Score: 0
  
  It's insane to type card details into a website.
  Like paypal.com?
Small wonder by nospam007 · 2018-04-05 08:20 · Score: 1

"In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible."
Since you didn't install/activate the security that would have been able to prevent/detect or at least log any such breach, small wonder that there is no evidence.