Unknown merchant breach leads to American Express notification
Technorati Tag: Security Breach
Date Reported:
9/9/08
Organization:
American Express Company
Contractor/Consultant/Branch:
"A merchant"*
*Not named
Location:
Unknown
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"American Express Card account and personal contact information"
Breach Description:
In a letter dated August 26, 2008 American Express is notifying an unknown number of cardholders that a merchant detected unauthorized access to its data files exposing personal information.
Reference URL:
The Breach Blog was provided with a copy of the letter sent to an affected cardholder.
Report Credit:
A trusted friend and reader of The Breach Blog.
Response:
From the online sources cited above:
A copy of the letter can be found by clicking here.
I am writing to inform you of a recent incident concerning your cancelled American Express Card account.
[Evan] This letter was received by a friend of mine that recently cancelled his corporate American Express account and was issued a new card as part of a change in corporate accounting.
Even though we do not foresee any significant impact to your cancelled account, it is our practice to inform you of the incident as soon as possible.
[Evan] If the account is cancelled, what significant impact could occur?
A merchant accepting the American Express Card for payment detected unauthorized access to its data files.
[Evan] Who was the merchant? This bit of information seems real pertinent to a consumer and an affected individual. If I were affected, I would want to know where this unauthorized access took place.
At this time, we believe the affected data included you American Express Card account and personal contact information.
Based on our commitment to the highest level of security, we wanted to make you aware of the situation.
Importantly, the compromised data did not include your Social Security number and our systems do not show any indication of unauthorized activity on your Card account related to this incident.
[Evan] Can you imagine if merchants collected Social Security numbers too. Wait! Some do.
We also want to reassure you that, as always, American Express Cardmembers are not liable for fraudulent charges.
However, because you may have questions or concerns about this situation, here are steps that American Express is taking, as well as some steps that you can take to get more information:
Your privacy is a priority for American Express.
To keep you better informed, you may receive multiple notification letters if more that one of your American Express card accounts was impacted.
Commentary:
There are many words in the notification letter, but not much information. I am left with more questions than I am provided with answers.
We do know that someone or something accessed confidential information at a merchant. I presume that active American Express Card account information was also subject to unauthorized access, so I am guessing that American Express has at least two versions of this letter. One for cancelled accounts and one for active accounts.
Does anyone know who the merchant is/was? Is this notification related to the recent finding on eBay (see below)?
Past Breaches:
American Express:
August 2008 - Financial information belonging to millions sold on eBay
Date Reported:9/9/08
Organization:
American Express Company
Contractor/Consultant/Branch:
"A merchant"*
*Not named
Location:
Unknown
Victims:
Customers
Number Affected:
Unknown
Types of Data:
"American Express Card account and personal contact information"
Breach Description:
In a letter dated August 26, 2008 American Express is notifying an unknown number of cardholders that a merchant detected unauthorized access to its data files exposing personal information.
Reference URL:
The Breach Blog was provided with a copy of the letter sent to an affected cardholder.
Report Credit:
A trusted friend and reader of The Breach Blog.
Response:
From the online sources cited above:
A copy of the letter can be found by clicking here.
I am writing to inform you of a recent incident concerning your cancelled American Express Card account.
[Evan] This letter was received by a friend of mine that recently cancelled his corporate American Express account and was issued a new card as part of a change in corporate accounting.
Even though we do not foresee any significant impact to your cancelled account, it is our practice to inform you of the incident as soon as possible.
[Evan] If the account is cancelled, what significant impact could occur?
A merchant accepting the American Express Card for payment detected unauthorized access to its data files.
[Evan] Who was the merchant? This bit of information seems real pertinent to a consumer and an affected individual. If I were affected, I would want to know where this unauthorized access took place.
At this time, we believe the affected data included you American Express Card account and personal contact information.
Based on our commitment to the highest level of security, we wanted to make you aware of the situation.
Importantly, the compromised data did not include your Social Security number and our systems do not show any indication of unauthorized activity on your Card account related to this incident.
[Evan] Can you imagine if merchants collected Social Security numbers too. Wait! Some do.
We also want to reassure you that, as always, American Express Cardmembers are not liable for fraudulent charges.
However, because you may have questions or concerns about this situation, here are steps that American Express is taking, as well as some steps that you can take to get more information:
- Although your American Express Card is cancelled, we will continue to monitor your account for unusual activity. If you notice suspicious activity on your American Express Card account or suspect identity theft, notify us immediately by calling 1-.
- We are enclosing a tip sheet that contains information about how to obtain copies of your credit reports and information about how to set-up fraud alerts.
- Should you have questions, please call 1- and an American Express customer care professional will be happy to assist you.
Your privacy is a priority for American Express.
To keep you better informed, you may receive multiple notification letters if more that one of your American Express card accounts was impacted.
Commentary:
There are many words in the notification letter, but not much information. I am left with more questions than I am provided with answers.
We do know that someone or something accessed confidential information at a merchant. I presume that active American Express Card account information was also subject to unauthorized access, so I am guessing that American Express has at least two versions of this letter. One for cancelled accounts and one for active accounts.
Does anyone know who the merchant is/was? Is this notification related to the recent finding on eBay (see below)?
Past Breaches:
American Express:
August 2008 - Financial information belonging to millions sold on eBay
Posts Atom 1.0
I received on of these letters as well.
I asked for the merchant's name, and was refused. I request and escalation to name the merchant. A few weeks later, I got a call from Amex, stating that due to the contract with the merchant, they could not release the name. I again said this was unacceptable, and told I could call or write to the Chief Privacy Officer.
I think that based on recent laws, they _have_ to disclose who it was if asked. I think this leaves too much at risk (I may have used other credit cards with that merchant.
Very odd. Anyone know the law?
Reply to this
Ah, you've fallen victim to the great AmEx marketing machine. This was kept so hush hush that people within CISO @ AmEx didn't even know about it. The CPO will just offer you 2 years of monitoring for "free" and nothing else. Same as when the employee data was breached with Towers-Perrin. They tout vendor security on paper but the left hand doesn't know what the right is doing.
Reply to this