The California Office of the Attorney General disclosed a data breach affecting American Express Travel Related Services Company, Inc. in March 2016. The incident involved unauthorized exposure of Card Members' account information at a third-party merchant. Compromised data may have included card numbers, names, and expiration dates, though the exact number of impacted individuals and the breach method were not publicly revealed. While no evidence suggested misuse of the exposed data, the breach posed risks such as potential financial fraud or identity theft for affected customers. The exposure of payment card details—even without additional personal identifiers—heightens vulnerabilities in financial transactions, potentially damaging customer trust and the company’s reputation. American Express likely initiated investigations and mitigation measures, such as card reissuance or monitoring services, to limit further harm. However, the lack of transparency regarding the breach’s scope and origin left uncertainties about the full extent of the incident’s impact.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-60674
TPRM report: https://www.rankiteo.com/company/american-express-global-business-travel
"id": "ame1000091725",
"linkid": "american-express-global-business-travel",
"type": "Breach",
"date": "3/2016",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'industry': 'Payments / Credit Cards',
'location': 'United States (California breach '
'notification)',
'name': 'American Express Travel Related Services '
'Company, Inc.',
'type': 'Financial Services'},
{'name': 'Unnamed Third-Party Merchant',
'type': 'Merchant / Retail'}],
'data_breach': {'data_exfiltration': 'Likely (not explicitly confirmed)',
'personally_identifiable_information': ['name'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['payment card data',
'personal identification data']},
'date_publicly_disclosed': '2016-03-24',
'description': 'The California Office of the Attorney General reported a data '
'breach related to American Express Travel Related Services '
'Company, Inc. The breach involved account information of some '
'Card Members at a third-party merchant, which may have '
'included their card number, name, and expiration date; '
'however, the specific number of affected individuals and '
'method of breach were not disclosed.',
'impact': {'data_compromised': ['card number', 'name', 'expiration date'],
'identity_theft_risk': 'Potential (due to exposed card details)',
'payment_information_risk': 'High (card numbers and expiration '
'dates exposed)'},
'initial_access_broker': {'high_value_targets': ['payment card data']},
'investigation_status': 'Disclosed; details limited',
'references': [{'date_accessed': '2016-03-24',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulations_violated': ['Potential California Data '
'Breach Notification Law '
'(Civil Code § 1798.29 et '
'seq.)',
'Potential Payment Card '
'Industry Data Security '
'Standard (PCI DSS)'],
'regulatory_notifications': ['California Office of '
'the Attorney '
'General']},
'response': {'communication_strategy': 'Public disclosure via California '
'Attorney General'},
'title': 'American Express Third-Party Merchant Data Breach (2016)',
'type': 'Data Breach'}