Sears, Delta, Best Buy, Kmart and likely more organizations have been the victims of a breach affecting payment card information that was obtained through online chat provider 7.ai. These attacks took place over the course of a few months in the latter part of 2017 but weren’t reported by the chat provider until April of 2018.
Thankfully, it seems as though the breach was relatively small in comparison to other high-profile breaches over the last few years, and the actual impact to consumers themselves relatively minor. According to Sears, 100,000 customer records were affected. Delta were vaguer but still claimed that the number of affected customers was small.
7.ai is a customer experience software and services company that deals with enterprise organizations in numerous sectors across the globe. A press release issued by the organization stated full co-operation with law enforcement and that they are “confident that the platform is secure.”
The problem with this breach, as highlighted by numerous security experts, is how it was handled by the chat provider. Despite knowing about the breach since September of 2017, many of the companies involved were not made aware until very recently. PCI DSS compliance states that breaches must be detected and breach notifications much be made to those involved “in the most expedient time possible and without undue delay.”
The reason that this is stated in some form in most compliance regulations dealing with breaches, is that the quicker the reaction time, the higher the chance of being able to mitigate the damages. The organizations involved all reacted far better upon being notified than 7.ai did, notifying the affected customers as quickly as they could.
At the moment of writing, little is known about why it took the payment company so long to notify the affected organizations, but the case should be taken as a warning of how important it is to be able to quickly identify and react to a breach in progress. Organizations need to ensure that they have a way of auditing all accesses made to payment data, users of that payment data and permissions in order to meet PCI DSS compliance and respond faster to breaches.
LepideAuditor enables you to audit activities concerning this data and generate alerts and reports in real time whenever a suspicious, unauthorized or unnecessary change takes place. Threshold-based alerts can also be used to make users aware of whenever a large number of changes take place over a small period of time, which could be indicative of an attack.
It is advised that your organization deploy a solution such as this one before you become a victim of the next targeted data breach.