American Express is in the process of notifying 76,608 California residents that their credit card information was posted online back in March by an offshoot of the worldwide hacktivist collective Anonymous.
“At this time, we believe the recovered data may include your American Express Card account number, the card expiration date, the date your card became effective and the four digit code printed on the front of your card,” the company said in a letter to the California Attorney General's Office (OAG). “Importantly, your Social Security number was not impacted and our systems have not detected any unauthorized activity on your card account related to this incident.”
58,522 of the victims also had their names posted with the card information.
In March, Anonymous Ukraine released more than 7 million records as part of a protest against financial firms for “enslaving” people. This included 3,255,663 records from Visa; 1,778,749 records from MasterCard; 362,132 record from Discover; and 668,279 records from American Express. The group promised it to be but a first step, and claimed to have more than 800 million credit card records at its disposal.
“For 15 years we have destroyed your economy and banking system, gradually increasing the U.S. national debt,” it posted on Pastebin. “That crash which came thanks to America happens to us. After the USA showed its true face when she unilaterally decides which of the peoples to live independently and who under the yoke of the Federal Reserve, we decided to show the world who is behind the future collapse of the American banking system. We own all the financial information of the Fed. And even more than you think.”
However, security researchers said that it all appeared to be posturing, and that Anonymous was simply recycling older card information that had been hacked before. So far, no one has identified the source of the data or leaks.
“It appears that this credit card dump contains valid, but older card data that had been previously disclosed”, the Open Security Foundation noted. “To date, there is no solid evidence this represents a new breach. So far, only American Express has taken notification steps.”
So far, and perhaps in light of the recycled aspect of the compromise, American Express is the only one taking notification steps.
Amex told the OAG via a data breach notification form that Anonymous Ukraine posted several large files containing personal information to the internet – which it found out about when the UK’s National Crime Agency brought it to the company’s attention, on March 25.
The company said that it’s taking steps to help compromised cardholders.
“Beyond the standard measures we take for fraud protection, we have placed additional fraud monitoring on your card, and will contact you if we suspect any unusual activity. You are not liable for any fraudulent charges on your account,” it said in the letter. “In addition to the fraud protection actions we are taking on your behalf, you can take…precautionary steps to further protect yourself from the risks of fraud and identity theft.”