Delta, Sears, Kmart hit by data breach: What you need to know (update)

Names, addresses and credit card numbers may have been stolen.

Sean Hollister Senior Editor / Reviews
When his parents denied him a Super NES, he got mad. When they traded a prize Sega Genesis for a 2400 baud modem, he got even. Years of Internet shareware, eBay'd possessions and video game testing jobs after that, he joined Engadget. He helped found The Verge, and later served as Gizmodo's reviews editor. When he's not madly testing laptops, apps, virtual reality experiences, and whatever new gadget will supposedly change the world, he likes to kick back with some games, a good Nerf blaster, and a bottle of Tejava.
Sean Hollister
2 min read

Heads-up: If you bought plane tickets from Delta, tools from Sears or household goods from Kmart between Sep. 26 and Oct. 12 last year -- and you did it online -- your name, address and credit card numbers may have been exposed at those companies' websites.

Update, 3:25p.m. PT: Best Buy is affected as well.

As far as we understand it, none of those companies' internal databases were actually breached. Instead, a piece of malware temporarily residing in their online chat service -- a chat service provided by [24]7.ai -- may have harvested your payment info after you completed a transaction. 

Even if you didn't use the online chat, you could be affected. "Any customer who entered payment data on delta.com during Sept. 26 to Oct. 17 may have had their information accessed," a Delta spokesperson told CNET.

In an FAQ, Delta says that multiple hundreds of thousands of its customers could potentially have had data stolen. Sears Holdings, which also owns Kmart, says it believes fewer than 100,000 of its customers were affected by the breach.

It's not clear if other companies have been affected. A January profile of [24]7.ai listed American Express, AT&T, Best Buy, Citi, eBay, Farmers Insurance and Hilton as possible clients of the chat company as well. A [24]7.ai spokesperson declined to comment, citing confidentiality agreements.

In a press release, however, [24]7.ai says the issue only affected "a small number of our client companies," and the vulnerability was fixed by Oct. 12 of last year. Both [24]7.ai and Delta say there's no indication yet that any personal information was actually stolen, only that it could have been.

However, it may be too early to tell, since Delta says it was only informed of the breach on March 28, a little over a week ago. Sears says it was informed in mid-March. 

Delta says it'll ensure customers won't be responsible for any fraudulent use of their credit cards, and will offer free credit monitoring. Sears Holdings will offer Sears and Kmart updates at this website.