Sears and Delta breaches

The customers of at least two major US companies —department store chain Sears and Delta Airlines— might have had their payment card details stolen due to a hack at a common software supplier.

The hacked company is [24]7.ai, a San Jose-based company that provides various customers support services, including live chat systems and AI-assisted chatbots.

The company revealed on Wednesday that an unauthorized party gained access to its network, from where it collected customer payment information for a small number of client companies.

Affected companies go beyond Sears and Delta

[24]7.ai did not reveal any customer names, but on the same day, both Sears and Delta Airlines published press releases revealing they were two of the victims.

Delta says the attacker managed to get its hands on information such as the card holder's name, address, card number, CVV number, and expiration date.

Delta didn't reveal how many passengers were affected but said the attacker didn't gain access to passport or government ID details, nor to data hosted in the SkyMiles program.

On the other hand, Sears put a number on the breach, revealing the attacker had access to less than 100,000 payment card numbers.

Hack took place last year

While [24]7.ai remained mum on the incident revealing very few details, Delta Airlines says the attacker managed to infect the chat provider's network with malware on September 26, 2017.

[24]7.ai discovered and removed the malware from its network on October 12. The chat provider then spent five and a half months investigating the incident together with law enforcement.

Only in late March did [24]7.ai notify Sears, Delta, and the other affected companies of the incident, so they could, in turn, tell their own customers.

Despite being [24]7.ai's fault, Delta is now providing free credit monitoring services to all affected customers. Both Delta and Spears are warning users who utilized their website to make orders to keep an eye on card statements for suspicious transactions. Customers did not have to interact with the online chat tool to be impacted.

[24]7.ai incident timeline

However, Sears and Delta aren't the only companies that suffered card breaches this week. On Monday, news surfaced that PaneraBread might have exposed the card details of millions of customers after ignoring a security researcher's warnings for more than eight months.

Also on Monday, news also surfaced that hacking group FIN7 had stolen and put up for sale card details for over five million customers of high-end luxury store chain Saks, Lord & Taylor.

Update [April 6]: Post-publication, Best Buy, too, admitted to have been affected by the [24]7.ai cyber-incident. The store chain did not reveal how many customers were affected.

Related Articles:

Fujitsu found malware on IT systems, confirms data breach

Bank of America warns customers of data breach after vendor hack

Verizon insider data breach hits over 63,000 employees

HPE investigates new breach after data for sale on hacking forum

Retail chain Hot Topic hit by new credential stuffing attacks