Big-box electronics retailer Best Buy has joined Sears, Sears subsidiary Kmart and Delta Airlines in having customer payment information exposed.
The culprit is a cybersecurity breach at third-party software provider, [24]7.ai, that provides online automated chat and other customer support functions. The breach affected users processed through its platform starting on 26 September 2017 last year; the issue persisted until its discovery on 12 October 2017. Yesterday it came to light that Sears, Kmart and Delta were affected. Like those companies, Best Buy is still assessing the extent of the damage.
“As best we can tell, only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function,” Best Buy said in a statement.
As we reported, it’s unclear if additional clients are also affected, but the issue has the potential to be far reaching. The company said itself that the “world's largest and most recognizable brands are using intent-driven engagement from [24]7.ai to assist several hundred million visitors annually, through more than 1.5 billion conversations, most of which are automated.”
"Similar to the 2014 Home Depot and Target incidents, this cyber-attack on one part of a software supply chain had direct consequences for others down the line,” said Sammy Migues, principal scientist at Synopsys, via email. “Even if the attackers were solely targeting [24]7.ai, the attack had direct consequences for their downstream clients. Incidents where the initial entry point is with a third-party supplier rather than the ultimate victim are becoming all too common.”