23 November 2014

AmEx writes to customers after Anonymous dumps card data

03 June 2014  |  5652 views  |  5 Anonymous

American Express is writing to around 75,000 Californian customers to warn them that their card data has been posted online by Anonymous Ukraine.

In March the Ukrainian arm of the Anonymous collective posted details from around seven million Visa, MasterCard, AmEx and Discover cards online in protest at the US and its banking system.

While the fraud threat is considered minimal, AmEx has now moved to warn affected customers. As picked up by CSO, the firm has written to the California Attorney General's Office about its decision.

AmEx is writing to 58,522 Californians whose names and corresponding account numbers were involved, as well as another 18,086 whose card information was published but not their names.

Says the letter being sent out: "We were recently made aware that your American Express Card information was recovered during an investigation by law enforcement and/or American Express.

"At this time, we believe the recovered data may include your American Express Card account number, the card expiration date, the date your card became effective and the four digit code printed on the front of your card."

The company stresses that social security numbers were not taken and that no fraud has been detected on the affected cards but says that it has put extra monitoring procedures in place.

Comments: (5)

Alexander Peschkoff - TEDIPAY - London | 03 June, 2014, 16:57 What's the point of PCI if such breaches still happen?..
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 03 June, 2014, 17:36

Agreed, though they were probably PCI compliant at the time.

Could they fine themselves? ;0)

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member | 03 June, 2014, 20:06

Why bother to write comments like these?   Regardless of some of the questionable approaches to PCI taken by the card brands, what is the point of attributing any weight to PCI for a story like this?   There is no information here that would indicate Anonymous obtained this information because PCI is not what it should be.

Are you saying that the existence of a standard should automatically banish all hacking, fraud, social engineering, and insider data theft?   There are many valid ways to achieve data theft that are beyond the scope of what PCI attempts to address or well within the parameters of what PCI does address (e.g. a person with valid credentials and responsibilities committing criminal acts). 

The sixth largest breach of all time happened earlier this year in South Korea.  Over 100 million payment card records exposed via  a criminal act by a person within a credit bureau.  

If you could "fix" or eliminate PCI, how would it change things?   Assume you are making this point from an assumed superior position that consists of a "better idea".  How does your better idea make things better - beyond the point of getting someone through a transit terminal without having their data stolen?   We can all agree on the benefits of hardware encryption. . . but what eveything else?

 . . . or maybe people just make comments like this because they really don't understand what PCI is and what it isn't???

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Alexander Peschkoff - TEDIPAY - London | 03 June, 2014, 20:28 One of the PCI's objectives is to ensure that cardholder/sensitive data is safeguarded. Clearly, that doesn't (always) work. Some of the solutions available in 2014 - tokenisation or 2FA. When there is nothing to steal, there is nothing to protect. Simples! You don't need thousands of pages that vaguely describe stuff nobody can comprehend (and, hence, act upon). Look at mobile telecom - their fraud rate is almost nonexistent without any PCI. Remove PCI, let banks and merchants get hit with tangible fraud, and they WILL take appropriate measures. PayPal is a good example of that.
 1 thumb up! (Log in to thumb up)
Sean Coady - Coady Investments - Melbourne | 04 June, 2014, 01:09

Biggest data breaches.  Can anyone point me to the best place to understand what the largest breaches of the last 10 years have been.  Is anyone tracking this data centrally? All part of the continuing journey to educate senior bank executives who grew up in a pre-cyber security world of the need to invest more...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)
Log in to receive notifications when someone posts a comment

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board, sign up now.

Related blogs

Create a blog about this story (membership required)

Related stories

05 February, 2014
04 October, 2013
27 February, 2013
06 February, 2013

Related company news

 

Featured job

to £80k base, double OTE, stock options
London, UK or Germany / Austria / Switzerland

Find your next job