Dive Brief:
-
Delta Airlines and Sears Holding Corp. were among the customers impacted by a malware attack on a software vendor, called [24]7, which provides the companies with online chat services, according to both Delta and Sears. The malware was in [24]7's system in 2017 between September 26 and October 12, potentially compromising credit card numbers used in that time frame.
-
The companies disclosed data breaches affecting payment information of their customers, reports Fortune. Sears later said the incident impacted less than 100,000 of its customers. Delta believes that the information of "several hundred thousand customers" may have been exposed as a result of the cyberattack.
-
Delta and Sears were not alone in announcing breaches this week. Saks Fifth Avenue, Saks Off 5th and Lord & Taylor disclosed they were among the retailers under Hudson's Bay's umbrella to have their in-store point-of-sale systems compromised last year. Reports surfaced this week that Panera Bread also suffered a breach, according to KrebsOnSecurity. During an eight month period, 37 million customer records leaked, however the food chain refuted the extent of the breach.
Dive Insight:
From soups to passports to shoes, businesses across industries were victims of this week's latest security breaches.
But the attack on a company's tech vendor says more about the relationship businesses have with their providers than it does about security in general.
It is all too frequent that malware attacks prey on the shortcomings of cybersecurity. Usually cracks are in the foundation, whether it's outdated software or an uneducated workforce, susceptible to phishing schemes.
But if a vendor is hackable, so are its customers. Cybersecurity practices are only as strong as their weakest link and that includes everyone on a company's network. This is the not the first time a business was left dealing with the backlash of a security breach due to a tech provider's problems.
Open AWS S3 buckets have lead to the Department of Defense, World Wrestling Entertainment and Verizon to clean up data leaks. Both the private and public sectors cannot run functional cybersecurity practices in isolation.
Instead, there needs to be constant communication for vendors and their customers to avoid a "software jailhouse" or frictions that develop when one business lets its partners down.