In an unusual move, Delta Airlines (Delta) sued one of its vendors last week for the data breach it experienced in 2017. It’s an unusual move for several reasons. First, in our experience when a vendor causes a data breach, there is usually a contractual provision that can be followed that outlines the responsibility of the parties in the event of a security incident. The contractual language is usually followed and the parties can resolve the issues of reimbursement per the contract. Second, there may be insurance involved for both parties. The parties work with the insurers to make claims and seek reimbursement for costs associated with the data breach.

There also may be issues of limitation of liability, and in that scenario, there is usually an alternative dispute resolution clause and the parties may seek alternative means to resolve the issue of reimbursement. Only after all of these measures have been addressed would litigation be the favored option. It is a last resort to get involved in prolonged litigation—it is costly and very time consuming.

We don’t know whether any of these factors played into Delta Airlines’ decision to sue its vendor [24], Inc. (24/7), but reading the allegations in the Complaint provides ample reasons for doing so. It reads like a novel. Please note that the Complaint sets forth only Delta’s side of the story; 24/7 has not yet answered the Complaint or provided its side of the story here.

According to the lawsuit, in early 2017, Delta commenced an RFP process for vendors to submit bids to provide a chat function on Delta’s website.  Although 24/7 was not part of the original RFP process, it was able to submit a proposal after the deadline, and Delta performed due diligence on its data security measures. In response to Delta’s questions about data security, 24/7 provided Delta with documentation and a security white paper specifically addressing its Chat Platform security and outlining the “extensive” security measures in place, including compliance with industry standards  and strict access controls.

Delta chose 24/7 as the winning vendor and an agreement was entered into by the parties sometime in the summer of 2018. Further, on February 1, 2018, 24/7 entered into a GDPR Agreement with Delta that attested to its compliance with the GDPR and its minimum data security measures, including the requirement to notify Delta of a data breach.

According to the Complaint, just months after the initial agreement was entered into with 24/7, “at least one third-party attacker gained access to Defendants’ computer networks and modified the source code of Defendants’ chat services software to enable the attacker to ‘scrape’ PII and payment card data from individuals using websites of Defendants’ clients, including Delta’s website…”

Delta alleges that the attacker was able to obtain full access login because 24/7 had inadequate authentication measures. Delta further alleges that 24/7 had inadequate security measures, including “allowing numerous employees to utilize the same login credentials; did not limit access to the source code running the [24/7] chat function to only those individuals who had a clear need to access that code; did not require the use of passwords that met PCI DSS…standards; did not have sufficient automatic expiration dates for login credentials and passwords…; and did not require users to pass multi-factor authentication prior to being granted access to sensitive source code.”

As a result of these security lapses, Delta alleges that an intruder was able to use scraping malware to obtain the credit card information of approximately 800,000-850,000 of its customers.

Even worse, Delta alleges that 24/7 knew about the incident in September or October of 2017 and yet did not notify Delta of the incident until five months later through LinkedIn messages to some Delta employees. The Complaint alleges that 24/7 still has not provided “formal detailed notice” of the incident. Still worse, (how can it get worse?), 24/7 signed and returned the GDPR Addendum to Delta in February of 2018 when it knew that the security incident had occurred.

Delta publicly announced the breach, notified its customers, provided them with mitigation services and was promptly sued in class action litigation, all of which costs a lot money for which Delta is seeking reimbursement from 24/7, and that 24/7 is apparently refusing to pay.

There are so many “wrongs” here that make this case so unusual and warranted. There are also numerous lessons to learn for vendors—obvious “dont’s” when providing services to companies and in the aftermath of a security incident. It will be an interesting case to follow.