[BreachExchange] Delta sues subcontractor over 2017 data breach

Destry Winant destry at riskbasedsecurity.com
Tue Aug 13 10:05:52 EDT 2019


Delta Airlines says a chatbot provider’s poor security caused the
airline to suffer a 2017 data breach.

In a complaint filed yesterday to the US District Court for the
Southern District of New York, Delta accused software company [24]7.ai
of allowing attackers to access its systems and take personal and
payment card data from Delta’s website. [24]7.ai provided a chatbot
service consumers could use on the airline’s website.

Through [24]7.ai’s failure to secure its systems, attackers were able
to exploit the company’s poor user authentication protocols to gain
full access, Delta said. The airline accused [24]7.ai of failing to
honour agreements between the two companies which said [24]7.ai was
compliant with various data security protocols – including the EU’s
GDPR – and that it would uphold data security standards.

Delta also said [24]7.ai only informed it of the breach five months
after the event, despite signing an agreement saying that it would do
so immediately. The complaint also alleged that rather than notifying
Delta through official channels, [24]7.ai staff messaged Delta
officials through LinkedIn.

“Defendants’ failure to provide timely, complete information hindered
Delta’s ability to proactively address the breach and communicate with
its customers about the incident, thereby exacerbating Delta’s costs
in responding to the data breach,” the complaint said.

Delta publicly revealed the breach in April 2018, after it was
informed about it and carried out an investigation. It currently faces
class action lawsuits linked to the incident.

Delta said the breach incurred major costs, including notifying
customers and regulators, paying external cybersecurity experts and
offering free credit monitoring. It has asked [24]7.ai to reimburse
those costs, but [24]7.ai has refused, the complaint said. The airline
has asked the court to force [24]7.ai to indemnify the airline and pay

The complaint also asked the court to make [24]7.ai’s parent US
company and its Philippine subsidiary – the entity which signed the
data security agreements – jointly liable. Delta accused [24]7.ai of
using its Philippines subsidiary purely to limit liability in the case
of a security incident. Delta has accused [24]7.ai of fraud,
negligence and breach of contract, and requested a jury trial.

[24]7.ai did not respond to a request for comment.

Counsel to Delta Airlines

King & Spalding

Partners Paul Straus in New York and partner David Balser and counsel
Andy Pratt in Atlanta are assisted by Matt Brigman

More information about the BreachExchange mailing list