Malware Attack on Vendor To Blame for Delta and Sears Data Breach Affecting 'Hundreds of Thousands' of Customers (gizmodo.com) 28
Delta Air Lines and Sears Holding on Thursday disclosed a data breach that may have exposed the payment card details of hundreds of thousands of online customers. From a report: The breach originated at a software vendor called [24]7, which provides Sears, Delta, and other businesses with online chat services. Less than 100,000 Sears customers were supposedly impacted, according to Sears. A Delta spokesperson said hundreds of thousands of travelers are potentially exposed. Gizmodo has learned the breach was the result of a malware attack, and that the unauthorized access involved payment card numbers, CVV numbers, and expiration dates, in addition to customers' names and addresses.
In a statement, [24]7 said the breach occurred on September 27th of last year and was contained roughly two weeks later. In a statement, Sears said it was first notified about the breach in mid-March. Credit card companies have been notified, and law enforcement is likewise investigating the incident. "Customers using a Sears-branded credit card were not impacted," Sears said. "In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible."
In a statement, [24]7 said the breach occurred on September 27th of last year and was contained roughly two weeks later. In a statement, Sears said it was first notified about the breach in mid-March. Credit card companies have been notified, and law enforcement is likewise investigating the incident. "Customers using a Sears-branded credit card were not impacted," Sears said. "In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible."
Well, that's interesting... (Score:5, Funny)
I didn't know Sears still had 100,000 customers.
Re: (Score:2)
Hey! Don't say bad things about Sears. I really like the store at my local mall. The parking lot is always empty so I can park close to the door, cut through the store (don't have to dodge anyone walking around) and get to the store I want to go.
Re: (Score:2)
You insensitive clods.
They closed our Sears. So now I have to park farther out and use another door to the mall :(
Breaking News (Score:1)
Sears has 100,000 customers? Wow!
Funny Timing (Score:2)
I was on the Sears site today and it served up a malware ad. So now we know how much they really care about security.
Comment removed (Score:5, Insightful)
Re: (Score:2)
This affected Delta and Sears websites where users entered data on the website to complete a transaction.
We understand malware present in [24]7.ai's software between Sept. 26 and Oct. 12, 2017 made unauthorized access possible for the following fields of information; name, address, payment card number, CVV number, and expiration date during their purchase process if this information was manually entered by the customer and the customer completed the purchase transaction.
Why did it take 5 months to disclose? As a simple hypothesis, I would suggest its because disclosure in November may have had an impact on Deltas ability to generate anticipated levels of revenue in December, a major holiday travel season.
Well, right now it's only a month or 2 away from another, longer major travel season: summer
Re: (Score:2, Informative)
Why did it take 5 months to disclose? As a simple hypothesis, I would suggest its because disclosure in November may have had an impact on Deltas ability to generate anticipated levels of revenue in December, a major holiday travel season.
It was discovered by [24]7 in the fall and according to the article, they sat on the information, not Delta/Sears.
In a statement, Sears said it was first notified about the breach in mid-March.
Re: (Score:3)
So it sounds like the ad was scraping the form fields, or doing a kind of man-in-the-middle attack on the form page? It's the acceptance of active advertising that opened the door for this type of behavior. The promise of highly targeted advertising based on tracking users across not only your site but the whole of the internet, gets content providers salivating at higher ad rates and willing to let XYZ ad network to run whatever scripts they want on their site.
How many more stories like this are we going t
Re: (Score:1)
Re: (Score:2)
I doubt they want to fuck around with insider trading charges.
That is why the CEO doesn't short the stock himself. He has his brother-in-law do it.
penalties (Score:4, Interesting)
$1 per name, email, physical address
$2 per phone number
$3 per credit card number
$4 per SSN
And multiply for combinations thereof. You'll see how fast companies move to secure their data.
Re: (Score:2)
Okay. One dollar for the first person, times one dollar for the second, ... times one dollar for the millionth. Perfect. So it will only cost us a dollar to leave things wide open. Sounds good. :-D
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Ad Nauseum (Score:3)
Paypal with 2fa. It's insane to type card details into a website.
Small wonder (Score:2)
"In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible."
Since you didn't install/activate the security that would have been able to prevent/detect or at least log any such breach, small wonder that there is no evidence.