On August 24, 2012, American Express Travel Related Services Company, Inc. experienced a data breach due to unauthorized access to a merchant's website. The incident, reported by the California Office of the Attorney General on February 19, 2013, resulted in the compromise of American Express Card account numbers, cardholder names, and other payment-related details. However, Social Security numbers were not affected, and the exact number of impacted individuals remains undisclosed. The breach stemmed from a vulnerability in the merchant’s system, allowing attackers to exploit weaknesses and gain access to sensitive cardholder data. While the exposed information could potentially facilitate fraudulent transactions or identity theft, the absence of Social Security numbers or broader personal identifiers limited the severity of the long-term consequences. American Express likely initiated containment measures, including notifying affected customers and collaborating with law enforcement to mitigate risks. The incident underscores the persistent threats posed by cybercriminals targeting payment systems, emphasizing the need for robust security protocols across third-party vendors.
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-38941
TPRM report: https://www.rankiteo.com/company/american-express
"id": "ame956091725",
"linkid": "american-express",
"type": "Breach",
"date": "8/2012",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': 'unknown',
'industry': 'payments/credit cards',
'location': 'United States (California breach report)',
'name': 'American Express Travel Related Services '
'Company, Inc.',
'type': 'financial services'},
{'name': 'Unnamed merchant (third-party)',
'type': 'e-commerce/retail'}],
'attack_vector': 'unauthorized access to third-party merchant website',
'data_breach': {'data_exfiltration': 'yes',
'number_of_records_exposed': 'unknown',
'personally_identifiable_information': 'partial (names only, '
'no SSNs)',
'sensitivity_of_data': 'high (payment card details)',
'type_of_data_compromised': ['payment card data',
'personal identifiers (names)']},
'date_detected': '2012-08-24',
'date_publicly_disclosed': '2013-02-19',
'description': 'The California Office of the Attorney General reported a data '
'breach involving American Express Travel Related Services '
'Company, Inc. The breach occurred due to unauthorized access '
"to a merchant's website, compromising American Express Card "
'account numbers, names, and other card information (excluding '
'Social Security numbers). The number of affected individuals '
'remains unknown.',
'impact': {'data_compromised': ['card account numbers',
'cardholder names',
'other card information (excluding SSNs)'],
'identity_theft_risk': 'potential (card information exposed)',
'payment_information_risk': 'high (card account numbers '
'compromised)',
'systems_affected': ["merchant's website"]},
'references': [{'date_accessed': '2013-02-19',
'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'yes (California '
'Attorney General)'},
'response': {'law_enforcement_notified': 'yes (California Attorney General)'},
'title': 'American Express Data Breach via Merchant Website (2012)',
'type': 'data breach'}