Version Control / Code Review? Hello!
Does no-one in modern IT do any QA or use Version Control? What ever happened to code reviews? Checking that what is being deployed is what was designed, and that other parts of the code haven't been changed? This is software development 101 people. Maybe it's all Git's fault - in which case throw it away and use tools that are fit for purpose. I know the toolchain I use does all this because it's the single most import reason why we use change management - to track what changes, because our QA and release process regularly asks: what changed? and needs good answers.
From the Delta.com/response web site:
We understand malware present in [24]7.ai’s software between Sept. 26 and Oct. 12, 2017, made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date.
So the answer is how an outsourced chat bot could access credit card info is answered - because it can access the DOM of the page beneath it.