The California Office of the Attorney General disclosed a data breach affecting **American Express** in January 2016, stemming from an incident in **November 2014**. The breach involved unauthorized access to a **third-party service provider’s system**, exposing sensitive customer data. Compromised information included **American Express Card account numbers, cardholder names, and other card-related details** of certain Card Members. While the exact scale of the breach was not specified, the exposure of financial data posed risks of fraud, identity theft, and reputational harm to affected customers. The incident highlighted vulnerabilities in third-party vendor security, raising concerns about supply chain risks in payment processing ecosystems. American Express likely faced regulatory scrutiny, potential financial liabilities, and erosion of customer trust due to the exposure of payment card information.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-59799
TPRM report: https://www.rankiteo.com/company/american-express
"id": "ame001091825",
"linkid": "american-express",
"type": "Breach",
"date": "11/2014",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Payments / Credit Cards',
'location': 'United States (California reported)',
'name': 'American Express Travel Related Services '
'Company, Inc. and/or its Affiliates',
'type': 'Financial Services'},
{'name': 'Unnamed Third-Party Service Provider',
'type': 'Service Provider'}],
'attack_vector': 'Third-Party Compromise',
'data_breach': {'data_exfiltration': 'Potential',
'personally_identifiable_information': ['Names',
'Card account '
'numbers'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Payment Card Data',
'Personally Identifiable '
'Information (PII)']},
'date_publicly_disclosed': '2016-01-26',
'description': 'The California Office of the Attorney General reported a data '
'breach involving American Express Travel Related Services '
'Company, Inc. and/or its Affiliates. The breach occurred due '
"to unauthorized access to a third-party service provider's "
'system, potentially compromising American Express Card '
'account numbers, names, and card information of some Card '
'Members.',
'impact': {'data_compromised': ['American Express Card account numbers',
'Names',
'Card information'],
'identity_theft_risk': 'Potential',
'payment_information_risk': 'High',
'systems_affected': ["Third-party service provider's system"]},
'initial_access_broker': {'entry_point': "Third-party service provider's "
'system',
'high_value_targets': ['American Express Card '
'Member data']},
'post_incident_analysis': {'root_causes': ['Third-party vendor security '
'vulnerability']},
'references': [{'date_accessed': '2016-01-26',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential violation of '
'California data breach '
'notification laws (e.g., '
'CCPA precursor)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'American Express Data Breach via Third-Party Service Provider',
'type': 'Data Breach'}