BreachExchange mailing list archives
Delta sues subcontractor over 2017 data breach
From: Destry Winant <destry () riskbasedsecurity com>
Date: Tue, 13 Aug 2019 09:05:52 -0500
https://globaldatareview.com/article/1196183/delta-sues-subcontractor-over-2017-data-breach Delta Airlines says a chatbot provider’s poor security caused the airline to suffer a 2017 data breach. In a complaint filed yesterday to the US District Court for the Southern District of New York, Delta accused software company [24]7.ai of allowing attackers to access its systems and take personal and payment card data from Delta’s website. [24]7.ai provided a chatbot service consumers could use on the airline’s website. Through [24]7.ai’s failure to secure its systems, attackers were able to exploit the company’s poor user authentication protocols to gain full access, Delta said. The airline accused [24]7.ai of failing to honour agreements between the two companies which said [24]7.ai was compliant with various data security protocols – including the EU’s GDPR – and that it would uphold data security standards. Delta also said [24]7.ai only informed it of the breach five months after the event, despite signing an agreement saying that it would do so immediately. The complaint also alleged that rather than notifying Delta through official channels, [24]7.ai staff messaged Delta officials through LinkedIn. “Defendants’ failure to provide timely, complete information hindered Delta’s ability to proactively address the breach and communicate with its customers about the incident, thereby exacerbating Delta’s costs in responding to the data breach,” the complaint said. Delta publicly revealed the breach in April 2018, after it was informed about it and carried out an investigation. It currently faces class action lawsuits linked to the incident. Delta said the breach incurred major costs, including notifying customers and regulators, paying external cybersecurity experts and offering free credit monitoring. It has asked [24]7.ai to reimburse those costs, but [24]7.ai has refused, the complaint said. The airline has asked the court to force [24]7.ai to indemnify the airline and pay damages. The complaint also asked the court to make [24]7.ai’s parent US company and its Philippine subsidiary – the entity which signed the data security agreements – jointly liable. Delta accused [24]7.ai of using its Philippines subsidiary purely to limit liability in the case of a security incident. Delta has accused [24]7.ai of fraud, negligence and breach of contract, and requested a jury trial. [24]7.ai did not respond to a request for comment. Counsel to Delta Airlines King & Spalding Partners Paul Straus in New York and partner David Balser and counsel Andy Pratt in Atlanta are assisted by Matt Brigman _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- Delta sues subcontractor over 2017 data breach Destry Winant (Aug 13)