Delta, Sears and 3rd Party Risks
According to the press release issued by Delta Airlines, support chat software provider 7.ai was hit by a coordinated cyberattack between September 26th and October 12th 2017. Customers were only made aware of this attack on March 28th 2018 after 7.ai allegedly concluded its internal investigation in cooperation with law enforcement.
7.ai provides white-labeled support chat solutions. While actual humans may be integrated into the chat process, the main selling point appears to be that an artificial intelligence selects appropriate responses from a database to answer customer inquiries thus reducing the number of required human support representatives.
This unspecified vulnerability in 7.ai lead to the chat software containing malware for 16 days. But since the software is operated by 7.ai and included in the corporate customer’s websites, the injected malware was executed in the context of said websites, from where it was likely able to access customer information.
According to Delta, customers who entered their credit card number during the affected time period may have had it stolen but other personal information was not impacted. At the time of publishing, we are unclear on how Delta reached this conclusion.
What is the impact?
Delta, Sears and other affected customers are unlikely to face any legal consequences from the breach as they appear to have acted correctly and swiftly upon being notified of the attack. Whether 7.ai will face legal consequences is uncertain at this point in time. A 5 month internal investigation period is long but not unheard of.
Image impact to the brand is a different matter. It is likely that the reputation damage done to 7.ai will greatly damage their ability to sell to corporate customers. While the long investigation period may have been required, it is also likely to put off potential sales. Delta and Sears in turn are likely to face a loss of customer trust in their cyber security capabilities, as most end-users are unable or rightfully unwilling to discern if a breach was the fault of the company they entrusted their data to or one of its chosen 3rd party providers.
3rd party providers are a tricky topic for any company handling sensitive customer data. While such providers may have excellent security and isolate the company from legal risks associated with cyber attacks, using them also means relinquishing control over security practices and policies. If a weakness in the provider’s capabilities is discovered, it might already be too late.
Industry wide information security standards aim to combat such uncertainty and create a secure baseline for all companies involved. However as implementation remains novel and spotty, we are expecting similar incidents to happen for the foreseeable future.
Companies are advised to choose their 3rd party providers carefully and make information security track record and policy a major factor when deciding what providers to work with.