Delta Air Lines Cyberattack: Customer Credit Card Details Potentially Exposed

Delta Air Lines
Baggage tags are seen near a counter of Delta Air Lines in Mexico City on August 8, 2016. REUTERS/Ginnette Riquelme

Delta Air Lines and Sears Holdings confirmed on Wednesday that a cybersecurity incident at a third-party company called 247.ai potentially left payment details of their customers exposed online between September and October last year.

Both businesses were informed of the incident in March 2018 and while 247.ai—which provides online chat services—has attempted to play down the scope of the leak Sears Holdings confirmed in a release that up to 100,000 customers could be impacted. Delta has not revealed how many of its customers were involved.

"No other customer personal information, such as passport, government ID, security or SkyMiles information was impacted," Delta Air Lines said in a statement published on its website. "Even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers' information was actually accessed or subsequently compromised," it continued.

The firm assured customers they would not be liable, adding: "In the event any of our customers' payment cards were used fraudulently as a result of the 247.ai cyber incident, we will ensure our customers are not responsible for that activity."

A representative for 247.ai, which is headquartered in California but has offices around the world, could not immediately be reached for comment by phone. In a press statement, the firm said all clients affected by the breach have already been informed. "We are confident that the platform is secure," it said Wednesday.

In a statement, Sears Holdings said: "We believe this incident involved unauthorized access to less than 100,000 of our customers' credit card information.

"As soon as 247.ai informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms. As a result of that investigation, we believe the credit card information for certain customers who transacted online between September 27 2017 and October 12 2017 may have been compromised."

The company noted that customers using its Sears-branded credit cards were not impacted. "In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible," it added.

The company responsible, 247.ai, has not revealed any specific information about how the "cyber incident" occurred but has said an investigation remains ongoing.