Delta’s web page on the cyberattack.

Lawsuits target Delta and vendor for cybersecurity breach

In the wake of a massive data breach involving chat software on Delta Air Lines’ website, potential class-action lawsuits point a finger at the airline for putting its customers’ information at risk.

Atlanta-based Delta says it has no liability and the online chat provider, a company called [24]7.ai, is liable for the breach disclosed in April.

“Any liability coming out of that breach, which is minimal, is going to be the responsibility of the vendor, which is [24]7,” said Delta CEO Ed Bastian in an interview with The Atlanta Journal-Constitution. “We’ve been very clear about that. It was their breach, not ours.”

It’s likely customers don’t know Delta can share their credit card and other personal information with another company, as the privacy policy on its website outlines. It’s also another example of the sharing of sensitive customer data between companies, while consumers are left in the dark as their privacy is put at risk.

However, in this incident the malware allowed unauthorized access to credit card and other information.

“We’re becoming more and more interconnected, more and more complex in terms of software,” said Andrew Green, a cybersecurity expert and lecturer at Kennesaw State University. With more software being written every day, “we start to expand the attack surface, which is how many different ways an adversary can get in. It’s like adding a window, and another window, and another window to your home.”

A lawsuit filed in June by passenger Teresa McGarry against Delta and [24]7.ai alleges that the breach allowed customer information to be accessed by hackers, and that the two companies’ conduct after the breach “only compounded the injury” to Delta customers.

The breach occurred in September and October 2017, but Delta said it was not notified of the breach until March 28, 2018 and didn’t tell customers until early April.

Delta said the malware allowed access to name, address and credit card information entered to pay on the delta.com desktop website and that “Customers did not have to interact with the online chat tool to be impacted.”

There are two other lawsuits in California, where [24]7.ai is based, and disputes over which court should hear the lawsuits if they are consolidated into one.

“It’s a big battle right now of where the case will be,” said Denis Sheils, a plaintiff’s attorney with Philadelphia-based law firm Kohn, Swift & Graf.

Many people might not be familiar with the company [24]7.ai, what it does and whether they should trust the company with their credit card data.

Using customers’ data is key to the company’s entire business model. Last fall, the San Jose, Calif.-based company changed its name from [24]7 to [24]7.ai to reflect its use of artificial intelligence.

“Businesses worldwide possess tremendous amounts of customer data that exist in silos throughout the enterprise, which makes it difficult to analyze and put to use,” says a [24]7.ai press release. “[24]7.ai uses artificial intelligence to process large amounts of consumer data in order to determine consumer intent,” it said, adding that “only AI can make sense of the tremendous amount of big data that companies possess.”

Delta, like many other companies, has been eager to harness data about its customers to better target them with offers and customize their experience.

[24]7.ai’s “virtual agent” system is aimed at using artificial intelligence to understand what kind of help customers need. Its “predictive chat” technology can use “data from other channels” to increase sales, and “leverage Big Data” to target customers, according to the company’s website.

Although companies like Delta aim to handle data and structure contracts to limit their liability, “the reality is when any vendor like Delta goes into business with a third party, there is shared responsibility,” Green said.

“Delta had, at a minimum, a moral obligation to do some type of due diligence with [24]7.ai” to ensure the vendor’s security processes met Delta’s standards. “When Delta puts trust in an organization… by extension Delta is saying you should trust these people because we chose to do business with them.”

But another challenge for a company like Delta, he said, is maintaining and overseeing the cybersecurity practices of all vendors the company does business with.

“You’ve got to keep an eye on your vendors, and yeah, that means you’ve got to ramp up internally with personnel who do nothing but make sure that the sausage is being made correctly,” Green said. “You have to go in and continuously and periodically monitor these vendors.”

Asher de Metz, senior manager for IT and disaster recovery firm Sungard AS, said “there should have been a whole team at Delta” focused on controlling who has access to credit card transaction data. “There’s a huge amount of value to this data.”

Meanwhile, software developers face their own challenges in trying to be first to market while also facing the threat of increasingly sophisticated cyberattacks, Green said.

“You are rolling out new apps every day…. Testing that software for every conceivable problem that could hit, it’s a daunting task,” Green said. The software then connects to other companies like Delta, and “by extension those organizations now suffer vulnerabilities.”

According to George Avetisov, CEO of New York-based password-less security firm HYPR, information stolen by hackers could be “used for social engineering, account takeover, and much more nefarious uses.”

So when consumers want to be able to shop online in the middle of the night or get customer service help 24/7 “there are going to be risks associated with that,” Green said. “There is no such thing as a risk-free transaction, ever.”

X