First read is on us.

Subscribe today to keep up with the latest travel industry news.

Delta Sues Chatbot Vendor Faulted for Data Breach


Skift Take

Many grandmothers have tighter password security than tech vendor [24]7.ai allegedly did. A hacker had an easy time accessing the vendor's code, and through it, the payment card data of up to 825,000 Delta customers. No wonder the airline is suing.

Delta Air Lines is suing a vendor of customer service technology, [24]7.ai, for a breach of passenger data. The airline alleges the company had a weak password for its systems, making it too easy for an outsider to crack.

Between September 26, 2017, and October 12, 2017, at least one hacker tapped delta.com via [24]7.ai’s computers. The hacker could have scraped the names, addresses, and full credit card details of up to 825,000 U.S. customers. The carrier still doesn’t know if a hacker misused any of its customers data.

On August 8, Delta filed a suit against the Philippines-based vendor. The carrier wants to recover “millions of dollars in costs” it spent investigating the breach, notifying its customers, and paying for free credit monitoring products for affected passengers. The airline is also defending itself in consumer class action suits over the data breach.

The breach stopped on October 12. Logically, the vendor must have found and removed the code at that time. But the companies declined requests for comment.

But [24]7.ai kept news of the breach from the airline until March 2018. That was a month after the carrier had signed a renewal contract. The delay violated the vendor’s contractual promise to let Delta know right away of any data breach.

BASIC PASSWORD NEGLIGENCE

The artificial intelligence company apparently didn’t show much natural intelligence. It let many employees use the same login to its systems. Its passwords were weak. What’s more, the company didn’t use second-factor or multi-factor authentication, which is a common safeguard that prevents knowing a simple password from being enough for a user to gain access.

A hacker either stole the login credentials, guessed them, or was fed them by an employee. Once in the system, the hacker modified the chatbot’s source code to let it screen-scrape, or capture, user’s data as users entered it.

Regardless of the legal outcome, Delta’s case illustrates that data security at the most powerful travel brands is only as strong as its weakest links. Many executives may be asking whether their third-party vendors take necessary security precautions.

Delta’s not the only airline to experience data breaches. Last year, a hacker accessed credit card, passport, and other details of about 9 million Cathay Pacific passengers.

Up Next

Business Travel

The State of Corporate Travel and Expense 2025

A new report explores how for travel and finance managers are targeting enhanced ROI, new opportunities, greater efficiencies, time and money savings, and better experiences for employees with innovative travel and expense management solutions.
Sponsored
Online Travel

Despegar to Be Acquired by Prosus for $1.7 Billion

Years ago, it appeared as though Expedia Group would be a likely buyer of Despegar since Expedia had taken a significant minority stake in the company. But Expedia backed away, and now Prosus is claiming the prize.