Delta Airlines sued an artificial intelligence company, which offers chatbot services on Delta’s website, for its lax security measures that caused a 2017 data breach. The airline has filed a lawsuit in the U.S. District Court in New York against the vendor, claiming its poor security and weak passwords led to the data breach that exposed around 825,000 Delta customers.
Delta Airlines stated that the vendor took around 6 months to disclose the data breach. The carrier also stated the vendor disclosed breach details via LinkedIn instead of contacting it directly. According to the lawsuit, the breach exposed customers’ names, contact numbers, email addresses, and credit card information.
The vendor allowed its employees to use the same login credentials and didn’t use multi-factor authentication, according to the lawsuit.
“What’s particularly interesting about this situation is that Delta seems to have had contract provisions and had its provider sign a GDPR compliance addendum in February 2018 requiring immediate breach notification, five months before notifying Delta about the breach,” said Gary Roboff, Senior Advisor at Shared Assessments. “Delta says its vendor was aware of the breach when it signed that agreement.”
“If Delta actually used the words ‘adequate security’ instead of defining more precisely what good security hygiene means, that could be a problem,” Roboff added.
Recently, the U.K. Information Commissioner’s Office (ICO) fined British Airways with £183.39 million ($230 million) after the airline failed to protect its customers’ data. The proposed fine relates to a data breach notified to the ICO by British Airways in September 2018, that exposed around 500,000 customers’ personal information.
The ICO said its investigation found that the breach compromised customer details, including login, payment card, name, address, and travel booking information, which is collected after being diverted to a fraudulent website. The data breach, which began in June 2018, occurred due to the poor security measures to protect customer information, ICO stated.