U.S. Markets close in 3 hrs 44 mins

Delta Sues Chatbot Vendor Faulted for Data Breach

Sean O'Neill, Skift
Delta Sues Chatbot Vendor Faulted for Data Breach

Delta Air Lines is suing a vendor of customer service technology, [24]7.ai, for a breach of passenger data. The airline alleges the company had a weak password for its systems, making it too easy for an outsider to crack.

Between September 26, 2017, and October 12, 2017, at least one hacker tapped delta.com via [24]7.ai’s computers. The hacker could have scraped the names, addresses, and full credit card details of up to 825,000 U.S. customers. The carrier still doesn’t know if a hacker misused any of its customers data.

On August 8, Delta filed a suit against the Philippines-based vendor. The carrier wants to recover “millions of dollars in costs” it spent investigating the breach, notifying its customers, and paying for free credit monitoring products for affected passengers. The airline is also defending itself in consumer class action suits over the data breach.

The breach stopped on October 12. Logically, the vendor must have found and removed the code at that time. But the companies declined requests for comment.

But [24]7.ai kept news of the breach from the airline until March 2018. That was a month after the carrier had signed a renewal contract. The delay violated the vendor’s contractual promise to let Delta know right away of any data breach.

BASIC PASSWORD NEGLIGENCE

The artificial intelligence company apparently didn’t show much natural intelligence. It let many employees use the same login to its systems. Its passwords were weak. What’s more, the company didn’t use second-factor or multi-factor authentication, which is a common safeguard that prevents knowing a simple password from being enough for a user to gain access.

A hacker either stole the login credentials, guessed them, or was fed them by an employee. Once in the system, the hacker modified the chatbot’s source code to let it screen-scrape, or capture, user’s data as users entered it.

Regardless of the legal outcome, Delta’s case illustrates that data security at the most powerful travel brands is only as strong as its weakest links. Many executives may be asking whether their third-party vendors take necessary security precautions.

Delta’s not the only airline to experience data breaches. Last year, a hacker accessed credit card, passport, and other details of about 9 million Cathay Pacific passengers.

Subscribe to Skift newsletters covering the business of travel, restaurants, and wellness.