Thousands of Sears, Delta customers affected by data breach

A third-party vendor used by both companies announced that its system had been breached for two weeks starting in September 2017.

Why vendors can increase your company's cybersecurity risk profile
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • Sears claimed "less than 100,000" of its customers were affected by the hack.
  • The vendor refused to answer questions about why they waited almost six months to notify the companies.

Delta Air Lines and Sears Holdings Corp. revealed yesterday that one of its third-party vendors managing online customer chat services had been hacked in September 2017, leaving the credit card information of hundreds of thousands of people open to cybercriminals for more than two weeks.

Questions remain unanswered about why it took so long for the hack to be noticed, and why Delta and Sears were only notified of the data breach in mid-March 2018, months after the initial hack took place.

[24], the vendor that was hacked, said in a statement that it was "working diligently with our clients to determine if any of their customer information was accessed." They did not answer multiple questions from the media about why they waited so long to tell the companies about what happened.

The hack began on September 26, 2017 and was discovered by [24] two weeks later on October 12, 2017.

SEE: Cybersecurity strategy research: Common tactics, issues with implementation, and effectiveness (Tech Pro Research)

Sears and Delta said they were working with federal law enforcement and credit card companies to deal with the breach, but gave conflicting information on whether they believe information was stolen or accessed during the two-week window.

"At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers' information was actually accessed or subsequently compromised," Delta said in its statement, stressing that no passport information or government IDs were impacted by the hack.

Sears, on the other hand, said, "we believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised," but claimed none of its stores or Sears-branded credit cards had been affected.

"Data security is of critical importance to our company, and we take any matter related to customer's personal information very seriously," Sears said, adding that Kmart customers were also affected by the hack.

Delta would not say how many customers were affected, only referring to it as a "small subset," while Sears said it was less than 100,000. The information that was breached included credit card numbers, addresses, expiration dates, and CVV numbers.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

This latest hack comes just days after high-end retailers Lord & Taylor and Saks Fifth Avenue revealed that its systems had been breached. The credit card data of millions is now being sold on the dark web due to the hack.

Like Saks and Lord & Taylor, Delta and Sears have set up websites and hotlines for concerned customers. Both companies also plan to contact customers who they are certain were affected by the hack and reminded their buyers that no one is liable for unauthorized or fraudulent account activity.

Also see

Image: Delta