Lawsuits target Delta and vendor for cybersecurity breach


In the wake of a massive data breach involving chat software on Delta Air Lines’ website, potential class-action lawsuits point a finger at the airline for putting its customers’ information at risk.

Atlanta-based Delta says it has no liability and the online chat provider, a company called [24]7.ai, is liable for the breach disclosed in April.

“Any liability coming out of that breach, which is minimal, is going to be the responsibility of the vendor, which is [24]7,” said Delta CEO Ed Bastian in an interview with The Atlanta Journal-Constitution. “We’ve been very clear about that. It was their breach, not ours.”

It’s likely customers don’t know Delta can share their credit card and other personal information with another company, as the privacy policy on its website outlines. It’s also another example of the sharing of sensitive customer data between companies, while consumers are left in the dark as their privacy is put at risk.

However, in this incident the malware allowed unauthorized access to credit card and other information.

“We’re becoming more and more interconnected, more and more complex in terms of software,” said Andrew Green, a cybersecurity expert and lecturer at Kennesaw State University. With more software being written every day, “we start to expand the attack surface, which is how many different ways an adversary can get in. It’s like adding a window, and another window, and another window to your home.”

A lawsuit filed in June by passenger Teresa McGarry against Delta and [24]7.ai alleges that the breach allowed customer information to be accessed by hackers, and that the two companies’ conduct after the breach “only compounded the injury” to Delta customers.

The breach occurred in September and October 2017, but Delta said it was not notified of the breach until March 28, 2018 and didn’t tell customers until early April.

Delta said the malware allowed access to name, address and credit card information entered to pay on the delta.com desktop website and that “Customers did not have to interact with the online chat tool to be impacted.”

There are two other lawsuits in California, where [24]7.ai is based, and disputes over which court should hear the lawsuits if they are consolidated into one.

“It’s a big battle right now of where the case will be,” said Denis Sheils, a plaintiff’s attorney with Philadelphia-based law firm Kohn, Swift & Graf.

Many people might not be familiar with the company [24]7.ai, what it does and whether they should trust the company with their credit card data.

Using customers’ data is key to the company’s entire business model. Last fall, the San Jose, Calif.-based company changed its name from [24]7 to [24]7.ai to reflect its use of artificial intelligence.

“Businesses worldwide possess tremendous amounts of customer data that exist in silos throughout the enterprise, which makes it difficult to analyze and put to use,” says a [24]7.ai press release. “[24]7.ai uses artificial intelligence to process large amounts of consumer data in order to determine consumer intent,” it said, adding that “only AI can make sense of the tremendous amount of big data that companies possess.”

Delta, like many other companies, has been eager to harness data about its customers to better target them with offers and customize their experience.

[24]7.ai’s “virtual agent” system is aimed at using artificial intelligence to understand what kind of help customers need. Its “predictive chat” technology can use “data from other channels” to increase sales, and “leverage Big Data” to target customers, according to the company’s website.

Although companies like Delta aim to handle data and structure contracts to limit their liability, “the reality is when any vendor like Delta goes into business with a third party, there is shared responsibility,” Green said.

“Delta had, at a minimum, a moral obligation to do some type of due diligence with [24]7.ai” to ensure the vendor’s security processes met Delta’s standards. “When Delta puts trust in an organization… by extension Delta is saying you should trust these people because we chose to do business with them.”

But another challenge for a company like Delta, he said, is maintaining and overseeing the cybersecurity practices of all vendors the company does business with.

“You’ve got to keep an eye on your vendors, and yeah, that means you’ve got to ramp up internally with personnel who do nothing but make sure that the sausage is being made correctly,” Green said. “You have to go in and continuously and periodically monitor these vendors.”

Asher de Metz, senior manager for IT and disaster recovery firm Sungard AS, said “there should have been a whole team at Delta” focused on controlling who has access to credit card transaction data. “There’s a huge amount of value to this data.”

Meanwhile, software developers face their own challenges in trying to be first to market while also facing the threat of increasingly sophisticated cyberattacks, Green said.

“You are rolling out new apps every day…. Testing that software for every conceivable problem that could hit, it’s a daunting task,” Green said. The software then connects to other companies like Delta, and “by extension those organizations now suffer vulnerabilities.”

According to George Avetisov, CEO of New York-based password-less security firm HYPR, information stolen by hackers could be “used for social engineering, account takeover, and much more nefarious uses.”

So when consumers want to be able to shop online in the middle of the night or get customer service help 24/7 “there are going to be risks associated with that,” Green said. “There is no such thing as a risk-free transaction, ever.”



Reader Comments ...


Next Up in Business

Georgia adds jobs, unemployment at 17-year low
Georgia adds jobs, unemployment at 17-year low

The state started the second half of the year with a solid month of hiring as the economy added 5,300 jobs and the unemployment rate fell to its lowest level since 2001. Georgia’s jobless rate slipped from 4.1 percent in June to 3.9 percent in July as corporate hiring powered growth, as the sector’s strong hiring made up for seasonal...
Wes Moss: How 6 percent rule can help with pension payout decision
Wes Moss: How 6 percent rule can help with pension payout decision

Those of us who are fortunate enough to have an employee pension may face a difficult question one day — do we take our money in a lump sum or stick with monthly payments over time? Companies are increasingly offering this type of deal to both soon-to-be retirees and former employees who are already retired and taking the monthly check. If you&rsquo...
CNET: Get fired up about these new gas grills
CNET: Get fired up about these new gas grills

The sun’s shining, humidity levels are on the upswing, and bugs are zipping through the air. It’s time to grill, y’all. But what’s a backyard (or front yard — no judgment) barbecue without the right grill at its center? These four gas grills are among the best CNET’s tried and tested this year. ——&mdash...
Cool the room with a smart air conditioner
Cool the room with a smart air conditioner

Just in time for the real heat of the summer, GE Appliances has a new smart air conditioner that keeps you from breaking a sweat to control the flow of cooler air with voice assistants. You won’t even have to get out of bed to adjust the air during bedtime hours. With a simple command to your iPad, iPhone or Apple Watch to access Apple Home app...
The broad approach to America works wonders in ‘The Crew 2’
The broad approach to America works wonders in ‘The Crew 2’

Everything is bigger in America. The cars and the fast-food come super-sized. Its mountain ranges dwarf the peaks of most countries. The lakes are great and the canyons are grand. So when making an open-world racing game that lets players freely roam the United States, expectations are high. With “The Crew,” Ivory Tower Ubisoft succeeded...
More Stories