breaking news

Seven arrest warrants issued in Fort Valley State University sex investigation

Lawsuits target Delta and vendor for cybersecurity breach


In the wake of a massive data breach involving chat software on Delta Air Lines’ website, potential class-action lawsuits point a finger at the airline for putting its customers’ information at risk.

Atlanta-based Delta says it has no liability and the online chat provider, a company called [24]7.ai, is liable for the breach disclosed in April.

“Any liability coming out of that breach, which is minimal, is going to be the responsibility of the vendor, which is [24]7,” said Delta CEO Ed Bastian in an interview with The Atlanta Journal-Constitution. “We’ve been very clear about that. It was their breach, not ours.”

It’s likely customers don’t know Delta can share their credit card and other personal information with another company, as the privacy policy on its website outlines. It’s also another example of the sharing of sensitive customer data between companies, while consumers are left in the dark as their privacy is put at risk.

However, in this incident the malware allowed unauthorized access to credit card and other information.

“We’re becoming more and more interconnected, more and more complex in terms of software,” said Andrew Green, a cybersecurity expert and lecturer at Kennesaw State University. With more software being written every day, “we start to expand the attack surface, which is how many different ways an adversary can get in. It’s like adding a window, and another window, and another window to your home.”

A lawsuit filed in June by passenger Teresa McGarry against Delta and [24]7.ai alleges that the breach allowed customer information to be accessed by hackers, and that the two companies’ conduct after the breach “only compounded the injury” to Delta customers.

The breach occurred in September and October 2017, but Delta said it was not notified of the breach until March 28, 2018 and didn’t tell customers until early April.

Delta said the malware allowed access to name, address and credit card information entered to pay on the delta.com desktop website and that “Customers did not have to interact with the online chat tool to be impacted.”

There are two other lawsuits in California, where [24]7.ai is based, and disputes over which court should hear the lawsuits if they are consolidated into one.

“It’s a big battle right now of where the case will be,” said Denis Sheils, a plaintiff’s attorney with Philadelphia-based law firm Kohn, Swift & Graf.

Many people might not be familiar with the company [24]7.ai, what it does and whether they should trust the company with their credit card data.

Using customers’ data is key to the company’s entire business model. Last fall, the San Jose, Calif.-based company changed its name from [24]7 to [24]7.ai to reflect its use of artificial intelligence.

“Businesses worldwide possess tremendous amounts of customer data that exist in silos throughout the enterprise, which makes it difficult to analyze and put to use,” says a [24]7.ai press release. “[24]7.ai uses artificial intelligence to process large amounts of consumer data in order to determine consumer intent,” it said, adding that “only AI can make sense of the tremendous amount of big data that companies possess.”

Delta, like many other companies, has been eager to harness data about its customers to better target them with offers and customize their experience.

[24]7.ai’s “virtual agent” system is aimed at using artificial intelligence to understand what kind of help customers need. Its “predictive chat” technology can use “data from other channels” to increase sales, and “leverage Big Data” to target customers, according to the company’s website.

Although companies like Delta aim to handle data and structure contracts to limit their liability, “the reality is when any vendor like Delta goes into business with a third party, there is shared responsibility,” Green said.

“Delta had, at a minimum, a moral obligation to do some type of due diligence with [24]7.ai” to ensure the vendor’s security processes met Delta’s standards. “When Delta puts trust in an organization… by extension Delta is saying you should trust these people because we chose to do business with them.”

But another challenge for a company like Delta, he said, is maintaining and overseeing the cybersecurity practices of all vendors the company does business with.

“You’ve got to keep an eye on your vendors, and yeah, that means you’ve got to ramp up internally with personnel who do nothing but make sure that the sausage is being made correctly,” Green said. “You have to go in and continuously and periodically monitor these vendors.”

Asher de Metz, senior manager for IT and disaster recovery firm Sungard AS, said “there should have been a whole team at Delta” focused on controlling who has access to credit card transaction data. “There’s a huge amount of value to this data.”

Meanwhile, software developers face their own challenges in trying to be first to market while also facing the threat of increasingly sophisticated cyberattacks, Green said.

“You are rolling out new apps every day…. Testing that software for every conceivable problem that could hit, it’s a daunting task,” Green said. The software then connects to other companies like Delta, and “by extension those organizations now suffer vulnerabilities.”

According to George Avetisov, CEO of New York-based password-less security firm HYPR, information stolen by hackers could be “used for social engineering, account takeover, and much more nefarious uses.”

So when consumers want to be able to shop online in the middle of the night or get customer service help 24/7 “there are going to be risks associated with that,” Green said. “There is no such thing as a risk-free transaction, ever.”



Reader Comments ...


Next Up in Business

Delta to launch flights from Atlanta to Ontario, Calif.
Delta to launch flights from Atlanta to Ontario, Calif.

Delta Air Lines announced plans Friday to launch flights between Hartsfield-Jackson International Airport and Ontario, Calif., adding another way to get from Atlanta to Southern California. Atlanta-based Delta plans to operate one daily flight on the route starting April 22, 2019 and a second daily flight starting June 9. The route will be flown with...
Norfolk Southern CEO talks potential Atlanta move as  Gulch vote nears
Norfolk Southern CEO talks potential Atlanta move as  Gulch vote nears

The CEO of Norfolk Southern told employees Thursday the company is looking to consolidate its headquarters in Atlanta, “but only if many aspects can be resolved,” the Virginian-Pilot newspaper reported.  Though the company had previously discussed a potential consolidation of its operations, the comments by CEO James Squires were...
Techstars Atlanta effort to spur growth
Techstars Atlanta effort to spur growth

Tech accounted last year for nearly 300,000 jobs with average pay of $85,681 a year and a total payroll of more than $25 billion, according to the Technology Association of Georgia. The region is a leader in some tech specialties, like fintech, the software behind credit card transactions and credit processing. But much of it starts...
Phipps Plaza breaks ground on luxury remodel, seeks tax break
Phipps Plaza breaks ground on luxury remodel, seeks tax break

Crews in hard hats are about to make Atlanta’s fanciest mall less mall-like. The $300 million remake for Phipps Plaza in Buckhead will include plenty of upscale additions, with one important exception: No new retail stores. In fact, the mall is dropping from three anchor department stores to two, with the recent closing of Belk. Phipps&rsquo...
Coca-Cola gives $2 million for youth programs in Atlanta
Coca-Cola gives $2 million for youth programs in Atlanta

The Coca-Cola Foundation has donated $2 million to support youth development programs in Atlanta. The grant to the Atlanta Police Foundation’s Vision Safe Atlanta campaign will fund programs like the At-Promise Center. The Center serves more than 300 at-risk youths who live on the city’s Westside, providing educational and professional...
More Stories