Tech & Science

Delta Air Lines: Credit Card Breach Hits ‘Several Hundred Thousand’ Victims

Delta Air Lines
Passengers check in at a counter of Delta Air Lines in Mexico City, Mexico, August 8, 2016. REUTERS/Ginnette Riquelme/File Photo

Delta Air Lines confirmed in an updated notice to its customers on Thursday that a malware incident at a third-party vendor called 247.ai potentially exposed the credit card details of “several hundred thousand” victims in September last year.

This week, both Delta and Sears Holdings revealed that a so-called “cybersecurity incident” had taken place. While details were initially scant, the airline said in its latest statement that malware present in 247.ai’s software—designed to facilitate online chats—made unauthorized access to credit card information possible.

It said that potentially compromised credit card information included names, addresses, payment card numbers, CVV numbers and expiration dates. The notice stated that sensitive data was vulnerable if the information “was manually entered by the customer and the customer completed the purchase transaction.”

The incident occurred between September 26 and October 12.

A Delta statement read, “At this point, we understand that the malware was present for a short period of time and potentially exposed several hundred thousand customers. While we believe we have identified with some precision the transactions that could have been impacted, we cannot say definitively whether any of our customers’ information was actually accessed or […] compromised.

“There was no impact to the Fly Delta app, mobile delta.com or any other Delta computer system. Payment card information for those customers who used Delta Wallet to complete transactions was not compromised.

"The malware could only collect the information shown on the screen, so credit card information automatically populated by Delta Wallet functionality would have remained masked and not useable.”

Delta said it's working to contact those affected and a help-page website would be regularly updated. No other personal information—such as passport, government ID, security or SkyMiles information—is believed to be impacted.

In a separate statement on Wednesday, 247.ai said, “We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers' online safety. We are confident that the platform is secure.”

Editor's Pick