Incident: Cyber Security Breach at [24]7.ai Exposes Customer Payment Information

Published Date: 2018-04-04

Postmortem Analysis
Timeline 1. The software failure incident happened on or after September 26, 2017, and was resolved on October 12, 2017 [70978].
System 1. Software service provider [24]7.ai's online support services system 2. Delta Air Lines Inc's online customer payment information system 3. Sears Holding Corp's customer payment information system 4. Kmart's online customer payment information system 5. Any other companies using [24]7.ai's online support services system
Responsible Organization 1. Software service provider [24]7.ai was responsible for causing the cyber security breach that led to the exposure of customer payment information for companies like Sears Holding Corp and Delta Air Lines Inc. [70978]
Impacted Organization 1. Sears Holding Corp 2. Delta Air Lines Inc 3. Customers of Sears and Delta Air Lines 4. Software service provider [24]7.ai
Software Causes 1. The software cause of the failure incident was a cyber security breach at software service provider [24]7.ai, which led to unauthorized access to customer payment information for companies like Sears and Delta Air Lines [70978].
Non-software Causes 1. Cyber security breach at software service provider [24]7.ai [70978]
Impacts 1. Unauthorized access to credit card information of under 100,000 Sears customers [70978] 2. Exposure of online customer payment information of Delta, Sears, and Kmart customers [70978] 3. Potential compromise of a small subset of Delta customers' information [70978]
Preventions 1. Implementing robust cybersecurity measures such as regular security audits, penetration testing, and intrusion detection systems could have potentially prevented the cyber security breach at software service provider [24]7.ai [70978]. 2. Ensuring timely detection and response to security incidents through real-time monitoring and alerting systems could have helped in identifying and resolving the breach sooner, reducing the impact on customer payment information [70978]. 3. Conducting thorough vendor risk assessments and due diligence before partnering with software service providers like [24]7.ai to ensure they adhere to stringent security protocols and standards could have mitigated the risk of such incidents [70978].
Fixes 1. Enhancing cybersecurity measures to prevent future cyber security breaches like the one at software service provider [24]7.ai, which led to the exposure of customer payment information for companies like Sears and Delta Air Lines [70978].
References 1. Sears Holding Corp 2. Delta Air Lines Inc 3. Technology firm [24]7.ai 4. Reuters 5. Kanishka Singh in Bengaluru

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: The incident at software service provider [24]7.ai resulted in unauthorized access to customer payment information of companies like Delta Air Lines and Sears Holding Corp. This incident occurred on or after Sept. 26, 2017, and was discovered and resolved on Oct. 12 of the same year [70978]. (b) The software failure incident having happened again at multiple_organization: The cyber security breach at [24]7.ai affected online customer payment information of various clients, including Delta, Sears, and Kmart among other companies. This indicates that the software failure incident impacted multiple organizations that were clients of the service provider [70978].
Phase (Design/Operation) design (a) The software failure incident in the articles was related to the design phase. The incident occurred at software service provider [24]7.ai, affecting online customer payment information of clients like Delta Air Lines and Sears Holding Corp. The cyber security breach was a result of unauthorized access to credit card information, impacting under 100,000 customers. The incident was discovered and resolved by [24]7.ai, indicating a failure introduced during the system development or updates [70978]. (b) The articles do not provide information indicating a software failure incident related to the operation phase.
Boundary (Internal/External) within_system (a) The software failure incident in this case was within_system. The incident occurred at the software service provider [24]7.ai, which provides online support services for companies like Delta Air Lines and Sears Holding Corp. The cyber security breach that led to unauthorized access to customer payment information was a result of a failure within the system of [24]7.ai [70978].
Nature (Human/Non-human) non-human_actions (a) The software failure incident in this case was due to non-human actions, specifically a cyber security breach at the software service provider [24]7.ai. The incident led to unauthorized access to customer payment information of companies like Sears and Delta Air Lines. The breach occurred on or after Sept. 26, 2017, and was resolved on Oct. 12 by the technology firm [24]7.ai [70978]. (b) There is no specific mention in the article about the software failure incident being caused by human actions.
Dimension (Hardware/Software) software (a) The software failure incident reported in Article 70978 was not attributed to hardware issues. The incident was a cyber security breach at software service provider [24]7.ai, which led to unauthorized access to customer payment information of companies like Sears and Delta Air Lines. The breach was related to online customer payment information and was resolved by the software service provider [24]7.ai [70978]. (b) The software failure incident in Article 70978 was directly related to software issues. The cyber security breach occurred at the software service provider [24]7.ai, indicating that the failure originated in the software systems provided by [24]7.ai. The incident involved unauthorized access to customer payment information, highlighting a software vulnerability that was exploited by cyber attackers [70978].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case was malicious, as it was a cyber security breach at software service provider [24]7.ai that led to unauthorized access to customer payment information of companies like Sears and Delta Air Lines [70978].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident involving Sears Holding Corp and Delta Air Lines Inc was due to a cyber security breach at software service provider [24]7.ai. The incident led to unauthorized access to customer payment information, affecting under 100,000 customers. This breach was a result of poor decisions or inadequate security measures that allowed the cyber attack to occur [70978].
Capability (Incompetence/Accidental) accidental (a) The software failure incident reported in the article was not attributed to development incompetence. The incident was a cyber security breach at software service provider [24]7.ai, affecting online customer payment information of clients like Delta Air Lines and Sears Holding Corp. The breach was discovered and resolved by the company [24]7.ai, indicating that the failure was not due to development incompetence [70978]. (b) The software failure incident was accidental in nature, as it was a cyber security breach that occurred on or after Sept. 26, 2017, and was discovered and resolved by the software service provider [24]7.ai on Oct. 12. The breach led to unauthorized access to credit card information of under 100,000 customers of Sears Holding Corp. and potentially exposed a small subset of Delta Air Lines customers, although it was uncertain if their information was accessed and compromised. The incident was not intentional but rather a result of a cyber security breach [70978].
Duration temporary The software failure incident related to the cyber security breach at software service provider [24]7.ai was temporary. The incident occurred on or after September 26, 2017, and was discovered and resolved by October 12 of the same year [70978].
Behaviour omission, timing, value, other (a) crash: The software failure incident in the article is not described as a crash where the system loses state and does not perform any of its intended functions [70978]. (b) omission: The incident led to unauthorized access to the credit card information of under 100,000 Sears customers, indicating an omission in protecting customer payment information [70978]. (c) timing: The cyber security incident affecting online customer payment information occurred on or after Sept. 26, 2017, and was resolved on Oct. 12, indicating a timing issue in the system's response to the breach [70978]. (d) value: The incident resulted in the exposure of customer payment information, indicating a value-related failure where the system performed its intended functions incorrectly by allowing unauthorized access to sensitive data [70978]. (e) byzantine: The article does not mention any inconsistent responses or interactions by the system that would classify the failure as a byzantine behavior [70978]. (f) other: The other behavior observed in this software failure incident is a security breach caused by a cyber attack on the software service provider [24]7.ai, leading to unauthorized access to customer payment information [70978].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property (a) death: People lost their lives due to the software failure (b) harm: People were physically harmed due to the software failure (c) basic: People's access to food or shelter was impacted because of the software failure (d) property: People's material goods, money, or data was impacted due to the software failure (e) delay: People had to postpone an activity due to the software failure (f) non-human: Non-human entities were impacted due to the software failure (g) no_consequence: There were no real observed consequences of the software failure (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? The articles do not mention any consequences related to death, harm, basic needs, or non-human entities. The incident primarily involved the exposure of customer payment information, indicating a potential impact on property (credit card information) [70978]. There were no specific delays mentioned in the articles. The consequences were mainly related to data security breaches and potential financial losses for the affected customers.
Domain sales (a) The failed system was intended to support the sales industry as it involved a cyber security breach at software service provider [24]7.ai, which impacted the online customer payment information of clients like Delta Air Lines and Sears Holding Corp [70978].

Sources

Back to List