Skip to content
Naked Security Naked Security

Sears Holdings, Delta and others leak credit cards in “multibreach”

If a third party leaks credit card numbers they were holding on your behalf... it's still your neck on the block.

Another day, another data breach.
More precisely: another day, another multibreach, caused by a common point of failure.
That’s a bit like what happened recently when hundreds of government websites ended up cryptojacked because a shared service provider – in that case, a web-based text-to-speech system – got hacked, and “passed on” the hack to all its customers.
This time, at least Sears Holdings, owners of brands such as Sears and Kmart, and Delta Airlines were affected by a breach at a chatbot company that both companies use.
The company that spilled the data is the curiously-named [24], a company whose website leads with the question, “Ready to Join the Chatbot Revolution?” and follows up with a free white paper entitled, “Why Delighting Customers is a Waste of Time and Money.”

Update. As pointed out by @lgcslyr in the comments below, Best Buy has now confirmed that it too is on the list of retailers affected in this incident. [2018-04-05T23:30Z]

Unfortunately for both Sears Holdings and Delta, at the same time that [24] was saving them money by not delighting customers, the company was also costing them reputation points (and perhaps getting them into regulatory trouble) by leaking personal customer information.
According to Sears Holdings:

[24], a company that provides online support services to Sears and Kmart, notified us, as well as a number of other companies, that they experienced a security incident last fall. We believe this incident involved unauthorized access to less than 100,000 of our customers’ credit card information. As soon as [24] informed us in mid-March 2018, we immediately notified the credit card companies to prevent potential fraud, and launched a thorough investigation with federal law enforcement authorities, our banking partners, and IT security firms.

According to Delta:

Last week, on March 28, Delta was notified by [24], a company that provides online chat services for Delta and many other companies, that [24] had been involved in a cyber incident. It is our understanding that the incident occurred at [24] from Sept. 26 to Oct. 12, 2017, and that during this time certain customer payment information for [24] clients, including Delta, may have been accessed – but no other customer personal information, such as passport, government ID, security or SkyMiles information was impacted.

We have to imagine that the customers of [24] are surprised – if not incensed – that the company took so long to pass on news of the breach, given that the ultimate accountability for safeguarding the information lies with those customers, not with [24] itself.
Of course, we also have to assume that [24] may not even have realised they’d been hacked until well after the event.
It’s surprisingly common for credit card breaches to be picked up by the card issuers themselves, after the data has been sold on the underground and actively abused, because of what are called CPPs, or common points of purchase, amongst defrauded card holders.
(With apologies to Oscar Wilde, to lose one credit card number may be regarded as a misfortune; to lose two looks like carelessness; to lose hundreds of thousands is a large-scale compromise.)

The reaction

Well done to Sears Holdings and Delta for providing prompt public commentary on their websites, and for setting up dedicated web pages where customers can track the breach investigation as it goes on.
Even better is that both companies avoided “doing an Equifax” – after its 2017 megabreach, Equifax infamously set up a brand new domain name as a landing page for updated information.
Being brand new, this one-off domain, equifaxsecurity2017 DOT com, had no reputation with any search engines, looked like a scam itself, and as good as begged typosquatters to register similar names to trap unwary visitors.
Equifax went on to compound that blunder when its PR company tweeted out an incorrect version of the new “security incident domain”, making a bad thing even worse.
The PR company wrote securityequifax2017instead of equifaxsecurity2017 – fortunately a security researcher registered the misnamed domain before the crooks could do so.
This is a blunder that simply wouldn’t have happened if Equifax had stuck to a URL that was part of its regular website.
Sears Holdings has gone for and Delta has chosen, thus taking advantage of their already-known domain names and the HTTPS certificates associated with those domains.
Just two notes, though, as we write this [2018-04-05T15:00Z]:

  • Sears Holdings officially linked to the http:// version of its page. Because the page is also available by using https://, why mention the unencrypted HTTP version at all?
  • Delta’s page didn’t exist yet and gave an error. The error page confusingly said, “THAT PAGE ISN’T ON OUR RADAR”. Why not create the page with a “coming soon” message instead, rather than reporting an error and inadvertently encouraging customers to go looking elsewhere?

What to do?

We don’t yet know what really happened, except that an online support company ended up creating a whole host of unwanted support issues for its customers.
In the meantime: watch those credit card statements; consider requesting a new card if you think you might be affected; and remember…
…you can outsource your work, but not your accountability.


Delta – airline – RADAR (ha ha ha). Yesterday it may have been cute. You can’t be cute on The Internet anymore.


“you can outsource your work, but not your accountability.”
How much better the world would be if everyone’s work and lives were guided by that.
That’s going on my wall of quotes.


What I want to know is why a chatbot service provider even had access to credit card info? Only Sears, Delta and Best Buy were offering goods or services that required payment from individuals. It would seem that a chatbot had no legitimate need to have access to credit card numbers.


I think the chatbot service was simply a vehicle to implement malware on the clients’ servers that allowed the bad guys to scrape the card data from those servers.


Retract? Show my evidence? Only one problem: I MADE NO ACCUSATION WHATSOEVER.
Geez, Paul, enjoy a cold, refreshing adult beverage and settle down. If there is anything for me to apologize for it would be that I didn’t make myself clear enough for you to understand. I was trying to say precisely what you described as “a much more likely explanation”; that the chat service was being used by some jerk(s) to make a way into the systems of Sears Holdings, Delta and whomever else might have been impacted. I don’t quite see how/why you would interpret my comment as an accusation. I am open to an apology.
Boy, you’ve been ornery lately. Time for a softer seat on your bicycle?


Sorry about that – I misread your comment to be saying the chatbot service existed to serve as a Trojan Horse, not that it might have been the vulnerability that let the crooks in. I have deleted my comment accordingly.


I wondered that. I can only assume that the service had some sort of sales quota that could be achieved with voice loops for various common chargable extras or upgrades – things that spring to mind that might easily, if soullessly, be automated for website chat users and telephone callers include, “would you like to buy a extended warrranty?”, “would you like to reserve your seats now?”, “would you like to change your flight and pay in the fare difference”, “would you like fries with that”, etc.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!