The payment data of a “small subset” of Delta Air Lines customers may have been exposed when [24]7.ai, the vendor of the airline’s chat function, was hacked.

The incident occurred between Sept 26 and Oct. 12, 2017, but [24]7.ai did not inform Delta until March 28.

In turn, Delta made the incident public a week later.

Delta would not comment on the reasons for the timing of either disclosure, but it offered a timeline of related events on its website.

On Oct. 12, [24}7.ai discovered and contained the breach, which affected only payment data of customers who used Delta’s chat function on either its website or mobile app.

Other personal data, such as passwords or Social Security numbers, were not exposed.

During the following months, the San Jose, Calif., vendor worked with law enforcement to investigate the cause of the breach.

When Delta learned of the incident in March, it began working with [24}7.ai to gauge any potential impact the incident had on its customers or systems.

“We also engaged federal law enforcement and forensic teams, and have confirmed that the incident was resolved by [24]7.ai last October.”

Delta said it could not confirm whether any customer data were, in fact, exposed in the hack.

Out of an “abundance of caution,” however, it shut down the chat function and offered free protection services to customers who feel they may be at risk.

That and other information is available at a dedicated website here.

Sears and Best Buy say their customers may also have been affected.

Bills to require companies to disclose data breaches within in a certain time have been introduced in the US Congress from time to time, but the efforts – generally backed by Democrats – have stalled.

Several states, however, have passed laws requiring timely disclosure.

Florida allows companies to report within 30 days, the tightest window.

Under the European Union’s General Data Protection Regulation (GDPR), which goes into effect on May 25, companies will have 72 hours to disclose data breaches.

Henry Harteveldt, chief analyst at Atmosphere Research in San Francisco, said companies need to pay close attention to the laws governing disclosures.

“You don’t have four or five months to report these things. In this digitally based commercial environment, you won’t have four or days.”