Sears, the department store operator, and Delta Air Lines, the airline operator, disclosed Wednesday (April 4) that payment information of some of their customers could have been exposed as part of a data breach at [24]7.ai, the software provider.
According to a report in Reuters citing the companies, [24]7.ai, which provides online support services to Sears and Delta Air Lines, among other firms, informed Sears in the middle of March that the hack resulted in the unauthorized access of credit card information for fewer than 100,000 customers. The hack happened on or around Sept. 26, 2017, and was identified and resolved on Oct. 12. Meanwhile, Delta Air Lines told Reuters that it was a small number of customers that had their data exposed in the compromise. The airline operator said personal details on things such as passports, government identifications, security, and SkyMiles information was not impacted as part of the breach. Sears noted its stores and internal systems were left out of the breach as well. There wasn’t any information on customers using the Sears credit card impacted in the hack either, noted the report.
Sears and Delta are the latest retailers or consumer-facing companies that disclosed compromises in recent weeks. Take Panera Bread. It left the data of millions of customers online for eight months or more before removing it from the bakery restaurant’s website Monday (April 2), reported KrebsOnSecurity. According to KrebsOnSecurity, the data, which includes names, email and physical addresses, birthdays, loyalty card numbers and the last four digits of credit card numbers, was visible in plain text on the Panerabread.com website for anyone that was signing up to place online food orders from the website for pickup or delivery. The data, according to the report, was searchable by different categories including loyalty account number. Web visitors, for example, could search by phone number or email address. KrebsOnSecurity said it was alerted to the leak by Dylan Houlihan, a security researcher that had let Panera know about the issue on August 2, 2017. The report noted that shortly after Panera was contacted for comment on the matter, the information was removed from the website.