Slashdot Mirror

← Back to Stories (view on slashdot.org)

Malware Attack on Vendor To Blame for Delta and Sears Data Breach Affecting 'Hundreds of Thousands' of Customers (gizmodo.com)

Posted by msmash on from the closer-look dept.

Delta Air Lines and Sears Holding on Thursday disclosed a data breach that may have exposed the payment card details of hundreds of thousands of online customers. From a report: The breach originated at a software vendor called [24]7, which provides Sears, Delta, and other businesses with online chat services. Less than 100,000 Sears customers were supposedly impacted, according to Sears. A Delta spokesperson said hundreds of thousands of travelers are potentially exposed. Gizmodo has learned the breach was the result of a malware attack, and that the unauthorized access involved payment card numbers, CVV numbers, and expiration dates, in addition to customers' names and addresses.

In a statement, [24]7 said the breach occurred on September 27th of last year and was contained roughly two weeks later. In a statement, Sears said it was first notified about the breach in mid-March. Credit card companies have been notified, and law enforcement is likewise investigating the incident. "Customers using a Sears-branded credit card were not impacted," Sears said. "In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible."

8 of 28 comments (clear)

  1. Well, that's interesting... by Trailer+Trash · · Score: 4, Funny

    I didn't know Sears still had 100,000 customers.

    --
    Do you have ESP?
  2. Funny Timing by Rastl · · Score: 2

    I was on the Sears site today and it served up a malware ad. So now we know how much they really care about security.

  3. plain english by nimbius · · Score: 4, Insightful
    This affected Delta and Sears websites where users entered data on the website to complete a transaction.

    We understand malware present in [24]7.ai's software between Sept. 26 and Oct. 12, 2017 made unauthorized access possible for the following fields of information; name, address, payment card number, CVV number, and expiration date during their purchase process if this information was manually entered by the customer and the customer completed the purchase transaction.

    Why did it take 5 months to disclose? As a simple hypothesis, I would suggest its because disclosure in November may have had an impact on Deltas ability to generate anticipated levels of revenue in December, a major holiday travel season.

    --
    Good people go to bed earlier.
    1. Re:plain english by Anonymous Coward · · Score: 2, Informative

      Why did it take 5 months to disclose? As a simple hypothesis, I would suggest its because disclosure in November may have had an impact on Deltas ability to generate anticipated levels of revenue in December, a major holiday travel season.

      It was discovered by [24]7 in the fall and according to the article, they sat on the information, not Delta/Sears.

      In a statement, Sears said it was first notified about the breach in mid-March.

    2. Re:plain english by pr0t0 · · Score: 2

      So it sounds like the ad was scraping the form fields, or doing a kind of man-in-the-middle attack on the form page? It's the acceptance of active advertising that opened the door for this type of behavior. The promise of highly targeted advertising based on tracking users across not only your site but the whole of the internet, gets content providers salivating at higher ad rates and willing to let XYZ ad network to run whatever scripts they want on their site.

      How many more stories like this are we going to have to endure before someone figures out a better way to do this? I personally don't feel that anything other than a static image is acceptable for web advertising, and since that seems ever unlikely, I'll happily run script, tracking, and ad blockers and not lose sleep about any content provider's ad-based revenue model...like Slashdot/BizX.

      --
      I'm sorry, but your opinion seems to be wrong.
  4. penalties by supernova87a · · Score: 3, Interesting

    I keep saying, the following penalty scheme will clean up data breaches right quick:

    $1 per name, email, physical address
    $2 per phone number
    $3 per credit card number
    $4 per SSN


    And multiply for combinations thereof. You'll see how fast companies move to secure their data.

    1. Re:penalties by sheph · · Score: 2

      Payable to the individual who experienced the loss. I'll never understand how the government fines companies on our behalf, but then none of that money goes toward mitigating the real damage. If your identity is stolen because of it they should be liable for all of the costs to clean it up. Including your time.

      --
      I don't believe in karma, I just call it like I see it.
  5. Ad Nauseum by WinstonWolfIT · · Score: 2

    Paypal with 2fa. It's insane to type card details into a website.