Following a security incident involving its website’s chat function, Delta filed suit in the Southern District of New York against its tech vendor, [24]7.ai. Delta alleged fraud, negligence and breach of contract. A consumer class action lawsuit had already been filed against Delta in the Northern District of Georgia, related to the same incident.

According to the Complaint, on March 28, 2018, Delta was notified by [24]7.ai that a security incident had potentially compromised personally identifying information and payment card data of up to 825,000 of Delta’s customers. Delta alleges that “at least one third-party attacker gained access to Defendants’ computer networks and modified the source code of Defendants’ chat services software to enable the attacker to ‘scrape’ PII and payment card data from individuals using websites of Defendants’ clients, including Delta’s website…” Delta engaged a forensics team and began working with federal law enforcement upon receiving notice from [24]7.ai. Delta then publicly announced the breach, notified its customers, launched free credit monitoring services, and filed a lawsuit against [24]7.ai. Delta is seeking reimbursement of all breach-related costs. 

Delta’s complaint alleged that [24]7.ai had inadequate authentication measures and inadequate security procedures by:

  • Permitting numerous employees to utilize the same login credentials;
  • Failing to require passwords that met PCI DSS standards;
  • Not instituting adequate automatic expiration dates for login credentials and passwords;
  • Allowing single-factor authentication to access sensitive source code; and
  • Failing to limit access to the source code running the chat function to those individuals who actually needed to access that code.

Although the data breach was believed to have occurred from September 26, 2017 to October 12, 2017,  the defendant allowed over five months to pass before notifying Delta. When [24]7.ai did notify Delta, it did so through LinkedIn instead of official channels, according to the Complaint.

Delta further alleged that in February 2018, already knowing that a breach had occurred, [24]7.ai entered into an agreement with Delta to comply with GDPR and various data security protocols, including notifying Delta of a data breach. “Defendants’ failure to provide timely, complete information hindered Delta’s ability to proactively address the breach and communicate with its customers about the incident, thereby exacerbating Delta’s costs in responding to the data breach,” the Complaint stated.

Unfortunately, [24]7.ai had other customers affected by the issue, including Sears, Kmart, and BestBuy. The circumstances and responses varied:

  • Like Delta, Sears was not notified of the breach until March 2018. Sears stated that the hacker accessed fewer than 100,000 customers’ credit card information. “There is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible.”
  • Best Buy announced that “a small fraction of our overall online customer population” was impacted due to the [24]7.ai malware attack. However, Best Buy stated that even the customers who did not use the chat on Best Buy’s website may have had their information accessed. According to a statement from Best Buy: “Since we were notified by [24]7.ai, we have been working to determine the extent to which Best Buy online customers’ information was affected.” Best Buy stated that it will notify any impacted customers directly.
  • Kmart released a statement that it is “working closely with federal law enforcement authorities, our banking partners, and IT security firms in this ongoing investigation. We cannot comment on any specific activities by those parties; please direct any questions to them.”

The Delta litigation against its vendor and class action it faces from customers illustrates the cybersecurity pitfalls that can befall businesses engaged in everyday transactions. Vendors significantly affect a company’s cybersecurity due to their access to the company’s customer information—access they are required to have to perform their function. The immediate damage caused by a breach due to vendor mismanagement is borne by the business. A company can mitigate this risk by exercising due diligence in selecting and engaging a vendor. The pre-selection investigation should include a review of past cybersecurity issues. Any vendor agreement should expressly set out the standards the vendor is to meet and include preventative measures. The contract should also include: (1) confidentiality provisions for PII, (2) specification of uses of information, (3) specification of data security protocols, (4) flow down of prime contract requirements, (5) notification of data events, (6) encryption requirements, (7) clear PII definition, (8) insurance, (9) indemnification, (10) data minimization/classification, and (11) audit rights. This list is not exhaustive and attention should be given to the specific business need.

Unfortunately for Delta, it suffered a breach despite its due diligence in selecting a vendor, investigating [24]7.ai’s cybersecurity measures, and entering into a GDPR and cybersecurity compliance agreement that included an immediate notification requirement in the event of a breach. The Delta situation illustrates the value of vendor management to cybersecurity, and although vetting may not catch every possible security risk, it can set baseline standards for vendor behavior that can provide remedies in the event of a problem.

For more information regarding this article, please contact Sean Griffin.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2019 Dykema Gossett PLLC.