An interesting conundrum. If you ask a supplier to prove that they have effective security controls in place and they furnish documentation to that effect, who is ‘guilty’ when there is a breach; the supplier, their auditor, you?…:
In an unusual move, Delta Airlines (Delta) sued one of its vendors last week for the data breach it experienced in 2017. It’s an unusual move for several reasons. First, in our experience when a vendor causes a data breach, there is usually a contractual provision that can be followed that outlines the responsibility of the parties in the event of a security incident. The contractual language is usually followed and the parties can resolve the issues of reimbursement by following the contract. Second, there may be insurance involved for both parties. The parties work with the insurers to make claims and seek reimbursement for costs associated with the data breach.
There also may be issues of limitation of liability, and in that scenario, there is usually an alternative dispute resolution clause and the parties may seek alternative means to resolve the issue around reimbursement through that means. After all of these measures have been addressed would litigation be the favored option. It is a last resort to get involved in prolonged litigation—it is costly and very time consuming.
We don’t know how any of these factors played into Delta Airlines’ decision to sue its vendor 7.ai, Inc. (24/7), but reading the allegations in the Complaint provide ample reasons why they did. It reads like a novel. Please note that the Complaint sets forth only Delta’s side of the story and 24/7 has not yet answered the Complaint or provided its side of the story here.
According to the lawsuit, in early 2017, Delta commenced an RFP process for vendors to submit bids to provide a chat function on Delta’s website. Although 24/7 was not part of the original RFP process, it was able to submit a proposal after the deadline, and Delta performed due diligence on its data security measures. In response to Delta’s questions about data security, 24/7 provided Delta with documentation and a security white paper specifically addressing its Chat Platform security and outlining the “extensive” security measures in place, including compliance with industry standards, and strict access controls.
Delta chose 24/7 as the winning vendor and an agreement was entered into by the parties sometime in the summer of 2018. Further, on February 1, 2018, 24/7 entered into a GDPR Agreement with Delta that attested to its compliance with the GDPR and minimum data security measures, as a requirement to notify Delta of a data breach.
According to the Complaint, just months after the initial agreement was entered into with 24/7, “at least one third-party attacker gained access to Defendants’ computer networks and modified the source code of Defendants’ chat services software to enable the attacker to ‘scrape’ PII and payment card data from individuals using websites of Defendants’ clients, including Delta’s website…”
Delta alleges that the attacker was able to obtain full access login because 24/7 had inadequate authentication measures. Delta further alleges that 24/7 had inadequate security measures including: “allowing numerous employees to utilize the same login credentials; did not limit access to the source code running the [24/7] chat function to only those individuals who had a clear need to access that code; did not require the use of passwords that met PCI DSS…standards; did not have sufficient automatic expiration dates for login credentials and passwords…; and did not require users to pass multi-factor authentication prior to being granted access to sensitive source code.”
As a result of these security lapses, Delta alleges that an intruder was able to use scraping malware to obtain the credit card information of approximately 800,000-850,000 of its customers.
Even worse, Delta alleges that 24/7 knew about the incident in September or October of 2017 and did not notify Delta of the incident until 5 months later through LinkedIn messages to some Delta employees. The Complaint alleges that 24/7 still has not provided “formal detailed notice” of the incident. Still worse, (how can it get worse?), 24/7 signed and returned the GDPR Addendum to Delta in February of 2018 when it knew that the security incident had occurred.
Delta publicly announced the breach, notified its customers, provided them with mitigation services and was promptly sued in class action litigation, all of which costs a lot money that Delta is seeking reimbursement from 24/7, and 24/7 is apparently refusing to pay.
There are so many wrongs here that make this case so unusual and warranted. There are also numerous lessons to learn for vendors—obvious dont’s when providing services to companies and in the aftermath of a security incident. It will be an interesting case to follow.