The California Office of the Attorney General disclosed a data breach affecting American Express Travel Related Services Company, Inc., linked to a third-party platform, Orbitz. The incident involved unauthorized access to sensitive customer data, with the breach occurring on October 1, 2017, but reported on March 22, 2018. Compromised information included full names, payment card details, dates of birth, phone numbers, email addresses, physical addresses, and gender. The breach exposed customers to risks such as identity theft, financial fraud, and phishing attacks, given the breadth of personal and financial data accessed. While the exact number of affected individuals was not specified in the report, the nature of the exposed data particularly payment card information suggests significant potential for misuse. The delay in detection (over five months) further exacerbated vulnerabilities, allowing attackers prolonged access. The incident underscored weaknesses in third-party vendor security, as the breach originated from Orbitz’s systems, indirectly impacting American Express customers who had used its travel services.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-134720
TPRM report: https://www.rankiteo.com/company/american-express-global-business-travel
"id": "ame027091825",
"linkid": "american-express-global-business-travel",
"type": "Breach",
"date": "10/2017",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Financial Services / Travel',
'location': 'United States (California)',
'name': 'American Express Travel Related Services '
'Company, Inc.',
'type': 'Corporation'},
{'industry': 'Travel',
'location': 'United States',
'name': 'Orbitz',
'type': 'Subsidiary/Partner'}],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': ['Full name',
'Date of birth',
'Phone number',
'Email address',
'Physical address',
'Gender'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personal Identifiable '
'Information (PII)',
'Payment Card Information']},
'date_detected': '2018-03-22',
'date_publicly_disclosed': '2018-03-22',
'description': 'The California Office of the Attorney General reported that '
'American Express Travel Related Services Company, Inc. '
'experienced a data breach linked to Orbitz, involving '
'unauthorized access to personal information. The breach was '
'reported on March 22, 2018, with the breach occurring on '
'October 1, 2017. The types of information potentially '
'compromised include full name, payment card information, date '
'of birth, phone number, email address, physical address, and '
'gender.',
'impact': {'data_compromised': ['Full name',
'Payment card information',
'Date of birth',
'Phone number',
'Email address',
'Physical address',
'Gender'],
'identity_theft_risk': 'High',
'payment_information_risk': 'High'},
'references': [{'date_accessed': '2018-03-22',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential violation of '
'California Consumer '
'Privacy Act (CCPA) or '
'similar state data breach '
'laws'],
'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'American Express Data Breach via Orbitz',
'type': 'Data Breach'}