Attackers stole payment card data from the affected companies between September and October.
Hackers appear to have stolen customer payment data from both Delta Air Lines and Sears by targeting a third-party chatbot provider.
Sears, which also owns Kmart, said the breach involved credit card information from fewer than 100,000 customers who made online transactions with the company between September 27 and Oct 12, 2017.
Delta said the hackers stole customer payment data close to the same timeframe. Only a “small subset” of Delta customers were affected, it said, and the breach was limited to payment information. “No other customer personal information, such as passport, government ID, security, or SkyMiles information was impacted,” it said in a statement.
The third-party chatbot provider 7.ai reported the breach on Wednesday. However, the San Jose-based company originally learned of the intrusion on Oct. 12, when it contained the breach.
The incident affected a “small number” of the chatbot provider’s clients, 7.ai said in a statement. But the company declined to identify them or offer more details, like why it didn’t notify Delta or Sears earlier.
“We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed,” the chatbot provider said.
How 7.ai was breached also remains unclear. But according to experts, hackers like to prey on third-party providers as a way to attack large corporations. “This breach highlights the importance of securing the vendor ecosystem as well as our own in-house systems,” said Laurie Mercer, solutions engineer at security provider HackerOne, in an email.
Law enforcement is investigating the incident; Delta and Sears are contacting affected customers.