In May 2008, American Express Travel Related Services Company, Inc. experienced a data breach due to unauthorized access to a merchant’s data files. The incident, reported by the California Office of the Attorney General on November 12, 2015, exposed American Express Card account numbers and related transaction details. While the breach did not compromise Social Security numbers, the exact number of affected individuals remains undisclosed. The unauthorized access suggests a failure in securing third-party merchant systems, potentially allowing attackers to harvest payment card information. Such breaches often lead to financial fraud risks for cardholders, including unauthorized transactions or identity theft attempts. The delayed disclosure (over seven years later) further highlights gaps in incident response and regulatory compliance. Although no direct evidence of misuse was reported, the exposure of card data alone poses significant reputational and operational risks for American Express, eroding customer trust and potentially incurring regulatory penalties.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-58780
TPRM report: https://www.rankiteo.com/company/american-express
"id": "ame1005091725",
"linkid": "american-express",
"type": "Breach",
"date": "5/2008",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'Unknown',
'industry': 'Financial Services / Credit Cards',
'location': 'United States (California)',
'name': 'American Express Travel Related Services '
'Company, Inc.',
'type': 'Financial Services'}],
'attack_vector': "Unauthorized access to merchant's data files",
'data_breach': {'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': 'No (Social Security '
'numbers not impacted)',
'sensitivity_of_data': 'Moderate (payment card data, no SSNs)',
'type_of_data_compromised': ['American Express Card account '
'numbers',
'related information']},
'date_detected': '2008-05-05',
'date_publicly_disclosed': '2015-11-12',
'description': 'The California Office of the Attorney General reported a data '
'breach by American Express Travel Related Services Company, '
'Inc. on November 12, 2015. The breach occurred on May 5, '
"2008, due to unauthorized access to a merchant's data files, "
'potentially exposing American Express Card account numbers '
'and related information, while Social Security numbers were '
'not impacted. The number of affected individuals is unknown.',
'impact': {'data_compromised': ['American Express Card account numbers',
'related information'],
'payment_information_risk': 'American Express Card account '
'numbers'},
'post_incident_analysis': {'root_causes': "Unauthorized access to merchant's "
'data files'},
'references': [{'date_accessed': '2015-11-12',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public disclosure via California '
'Office of the Attorney General'},
'title': 'American Express Data Breach (2008)',
'type': 'Data Breach'}