Sears, Delta Airlines, and likely other "household name" type of companies are stepping up to say their customers were impacted in a third-party breach.
But for some reason, the vendor that was hacked sat on the news for more than five months before notifying any clients, including Delta and Sears.
In Delta's case, vendor [24.7].ai operates the airline's web chat program.
The California-based vendor issued a statement that raises a question: Why did the company wait until late March to notify clients of the breach?
"[24]7.ai discovered and contained an incident potentially affecting the online customer payment information of a small number of our client companies, and affected clients have been notified. The incident began on Sept. 26, and was discovered and contained on Oct. 12, 2017."
Delta says it only learned of the incident on March 28.
Is 5 months reasonable to notify your customers of an incident?
I think most of us would answer the question above with a gut reaction of "no." However, opinion can be different from fact, especially in the eyes of the law.
So I asked SecureWorld speaker and cybersecurity attorney Shawn Tuma for his take. He has helped many, many companies with their incident response.
He says there can be extenuating circumstances in any breach but this certainly is out of the norm.
“Generally speaking, in cases such as this involving data breaches where one business partner is the entity breached but the data is that of another business partner’s customers, time is of the essence and notifying the business partner whose customers’ data was breached is one of the most important and top priorities such that it is usually required within minutes, if not hours of determining that it has likely occurred," Tuma says.
"In many cases these days, there are contractual agreements between the parties that specify how quickly this notice must be given and in such cases the time period is usually that of minutes or hours, at the most. Unless this is an unusual case involving circumstances that I really cannot grasp at the moment, it will be very difficult to argue that this many months would be considered a reasonable amount of time.”
Delta Airlines' response
What will more likely be seen as reasonable is Delta Airlines' response. Within a week of notification from the vendor they'd already done significant double-checks on the vendor. Delta's statement, in part:
"Upon being notified of [24]7.ai's incident, Delta immediately began working with [24]7.ai to understand any potential impact the incident had on Delta customers, delta.com, or any Delta computer system. We also engaged federal law enforcement and forensic teams, and have confirmed that the incident was resolved by [24]7.ai last October. At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers' information was actually accessed or subsequently compromised."
Delta says it will keep updates coming through delta.com/response, a page the company set up just today to handle the situation.
SecureWorld has reached out to the web chat vendor and asked specifically, "Can you explain why it was reasonable to notify your clients of a cyber incident more than five months after it occurred?"
We'll let you know what the company says.
And in the meantime, this could be a good opportunity to review contractual agreements with your key vendors that Tuma mentioned.
That way you'll be aware of their obligations to your organization if they have a cyber incident involving your data or that of your customers.
