A malware attack against a company that provides contract chat services to some of America’s best-known companies could have resulted in the leak of hundreds of thousands of customers’ personal information. The data would have been leaked last fall between September 26 and October 12, according to statements from three companies.
It is important to note that no company has yet confirmed that any of its data was stolen. So far only the opportunity to steal customer data has been determined.
Delta Air Lines Inc. (NYSE: DAL) said in a statement released Wednesday that some “customer payment information” from clients of third-party chat provider 7.ai “may have been accessed.” In its statement, Sears Holdings Co. (NASDAQ: SHLD) said it “believed” the malware incident affected “less than 100,000 of our customers’ credit card information.” Best Buy Co. Inc. (NYSE: BBY) said in its statement that “information suggests” that “a number” of customers “may have” had their payment information compromised.
A January CNET profile of 7.ai listed other company clients: American Express Co. (NYSE: AXP), AT&T Inc. (NYSE: T), Citigroup (NYSE: C), Hilton Hotels Corp. (NYSE: HLT) and Farmers Insurance. American Express has confirmed to CNET that Amex customer data was not affected by the breach.
In a Wednesday press release, 7.ai said:
7.ai discovered and contained an incident potentially affecting the online customer payment information of a small number of our client companies, and affected clients have been notified. The incident began on Sept. 26, and was discovered and contained on Oct. 12, 2017. We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers’ online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed.
According to DarkReading.com, Delta customers did not have to have interact with the chat service to become infected with the malware and, the report continues, “Delta blamed 7.ai for exposing the names, addresses, card numbers, CVV numbers, and card expiration dates of potentially several hundred thousand customers.”
Delta has created a dedicated website that it says it will update regularly to address questions and concerns. The airline also said it will directly contact customers who may have been affected by the incident.
Sears said it will establish a hotline for customers by Friday morning, and Best Buy has said it started a website to respond to customer concerns related to this incident and that it will contact affected customers directly. Best Buy also offered free credit monitoring services as needed.