14 DAY TRIAL // Following an investigation carried out by law enforcement, it was discovered that information belonging to American Express card holders was exposed to unauthorized persons.
The circumstances leading to finding the data and how it could have ended up in the hands of a third party have not been disclosed. Also, American Express may have helped during the investigation, but this aspect is not completely clear.
Names and SSNs leaked
On the other hand, it is certain that at least 500 people in California are impacted by the incident. All affected individuals should receive a notification letter, if they haven't already, as demanded by California law.
The information recovered during the investigation may include the American Express card account number, the name of the card holder, as well as the expiration date and the social security (SSN) number.
The SSN and the name of its owner are sufficient for cybercriminals to make a profit by filing tax returns in the name of the victim.
Card data can be stolen from retailers and online merchants, but transacting with them does not require the social security number. A phishing attack would seem more likely to have been used to get the data.
Complimentary identity protection service offered
The letter signed by American Express Chief Privacy Officer Stefanie Wulwick informs the recipient that the company has not recorded unauthorized activity on their card account that could be related to the incident.
American Express has already taken the standard steps to mitigate the risk stemming from the event. Apart from this, the company placed additional fraud monitoring on the card and says that an alert would be issued in case of suspicious activity.
Recipients of the letter are not liable for any fraudulent charges occurring on their account. They are also provided one year of free membership to identity protection services.
Despite these preventative measures, the company recommends people to stay vigilant and monitor the account statements over the next 12 to 24 months in order to detect possible identity theft action at an early stage.
[UPDATE, April 6]: American Express contacted us to highlight the fact that their systems have not been breached, as it is also stressed in their letter (linked above) to the affected customers.
The data cache was discovered during a law enforcement investigation of a separate matter, and American Express was notified by authorities about it.