Delta Airlines has confirmed that as a result of an online security breach, the payment card details of “several hundreds of thousands” of its customers may have been compromised as a result of a malware attack.
The breach, which occurred last fall, was announced today (Thursday) and the airline has admitted that the breach may have exposed customers’ names, addresses, credit and debit card numbers, card security codes as well as security codes and card expiration dates.
Delta was keen to play down the event, advising that only “a small subset” of the carrier’s passengers may have been affected and, even then, it couldn’t be sure that the data had actually been compromised by the malware attack. The malware appears to have been introduced by (24)7.ai, a company which provided Delta with online chat customer support services for a two-week period. The security breach was first noticed in October last year and was immediately fixed.
Delta was not the only organization affected at the time. Sears Holdings Ltd. was also breached, though the company did not become aware of this until mid-March. Both Delta and Sears have been assisting federal law enforcement officials and IT security experts.
According to Bill Curtis, chief scientist at security software firm CAST, has commented that as opposed to the companies’ systems being hacked, the malware targets the customers who will have inadvertently “downloaded something that was watching your screen and waiting for the credit cards to float. They stole the data as you entered it.” Curtis added that he considered (24)7.ai “has a huge liability here.”