Slashdot Mirror

← Back to Stories (view on slashdot.org)

American Express Warns Customers About Breach -- From 2013 (csoonline.com)

Posted by timothy on from the any-day-now dept.

itwbennett writes: In a notification letter dated March 10, American Express warned cardholders that their account information might've been exposed after a third-party service provider suffered a data breach — in December 2013. The company says they are monitoring accounts for fraud and advise cardholders to do the same, but they offer no explanation for the delay.

32 comments

  1. I can be the last post and... by Anonymous Coward · · Score: 0

    I am faster than American Express.

    Isn't there a law on the books yet about timely notifications?

    1. Re:I can be the last post and... by davester666 · · Score: 1

      They managed to get the email out before the Milky Way collapses into the massive black hole at its center, so yes, it's timely.

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:I can be the last post and... by EvilAlphonso · · Score: 2

      In socialist Europe, a data breach exposing customer confidential data or financial data that isn't reported to the relevant authorities and the customers within 3 days opens the company to large fines (up to 4% world-wide revenue of the company/group), a lawsuit and up to 20 days in jail for the management.

    3. Re:I can be the last post and... by Anonymous Coward · · Score: 0

      How is that law in any way connected to Europe begin "socialist" (which, by the twisted definition that Americans use, encompasses pretty much everything left of cut-throat capitalism, so the word really has no meaning anymore).

      To me it just seems like basic enforcement of privacy and customer protection laws, which ideally should exist in any modern western society.

    4. Re:I can be the last post and... by Albanach · · Score: 1

      Isn't there a law on the books yet about timely notifications?

      There's no indication that American Express themselves were compromised. They can only notify their cardholders once the third-party service provider tells them something happened. My guess is that the service provider didn't know until recently.

    5. Re:I can be the last post and... by ls671 · · Score: 1

      I don't know but what I know for sure: When you deal with them, you are contractually obligated to report any security breaches as soon as you notice them.

      --
      Everything I write is lies, read between the lines.
  2. Reason for delay by Fallen+Kell · · Score: 1

    The company says they are monitoring accounts for fraud and advise cardholders to do the same, but they offer no explanation for the delay.

    Probably because some of the data from the breach was recently seen on the various black-market sites that sell the information.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
    1. Re: Reason for delay by Anonymous Coward · · Score: 0

      They wanted to send the notification earlier but they kept getting distracted by porn and "103 fascinating photos you've never seen" and having to deal with the resulting viruses and malware.

  3. ... to charge more interests ? by Anonymous Coward · · Score: 0

    The longer it takes, the more interests they charge

  4. AmEx is also a bank by Anonymous Coward · · Score: 1

    Unlike Visa and Mastercard, who do nothing but process cards and pass all the lending risk to the banks, American Express loans out their own money. They know about a breach and fail to do anything about it, they're the ones eating the bill.

  5. seems obvious by Gravis+Zero · · Score: 0

    someone forgot to put a cover sheet on the TPS report. ;)

    --
    Anons need not reply. Questions end with a question mark.
  6. Re: CEO Aholes get rekt by Anonymous Coward · · Score: 0

    That's funny, because the first thought I had was the custom development my ex-employer did for Amex. All the code written in North America by employees/owners.

    The owners code was shit however.

  7. Attorney Advice -- Written to a jury by Etherwalk · · Score: 1

    Big company data breaches these days pretty regularly expect lawsuits to result. While some of them (Amex is probably included) mostly avoid responsibility by including no-class-action and arbitration clauses in their contracts, they are still going to make sure every word of an announcement like this is vetted by their litigation counsel.

    That means that explanations that may be used against them in court are not going to be included.

    It also means that this announcement is written to consumers, but it is also, and more honestly, directed at a future judge or jury.

    1. Re:Attorney Advice -- Written to a jury by Anonymous Coward · · Score: 0

      it is also, and more honestly, directed at a future judge or jury

      If I'm a jury member, who do I side with?

      A big credit card company who failed in its responsibility to protect its customers.
      or
      The customers who were left in the dark for 2+ years about that fact?

      That announcement should have read: "Our bad. Please serve lawsuits to this address: 123 WeRToast Lane..."

  8. "Third-party" seems to be the crux here. by EzInKy · · Score: 1

    There simply has to be some way that a second party can be paid without without revealing details about the first party. Hopefully somebody is working on a solution to this obvious weakness in secured transactions.

    --
    Time is what keeps everything from happening all at once.
    1. Re:"Third-party" seems to be the crux here. by Anonymous Coward · · Score: 0

      I think the issue is that with money laundering and other dodgy practices they want at all times to know all the parties involved in a transaction.

    2. Re:"Third-party" seems to be the crux here. by EzInKy · · Score: 1

      They who? Governments spinning their wheels going after small fish and ignoring the big ones?

      --
      Time is what keeps everything from happening all at once.
    3. Re: "Third-party" seems to be the crux here. by Anonymous Coward · · Score: 0

      Nope, it is the backward American system where the card processor pushes a debit (debt, fungible) around - they trust any and all 3rd parties that you, their customers owes ohou bohou (the arbitrary 3rd party) money. In Europe the system is much more sensible since it moves credit (deposit, tangible) - the banks trust only you (their customer who they have relationship with) to instruct them that you owe ohou bohou X amount of money and they must proceed to transfer. But that only works with chip and pin.

    4. Re:"Third-party" seems to be the crux here. by EvilAlphonso · · Score: 1

      Let's say you've got a set of transactions of less than $200 each going between J. R. Blowski and A. M. Laundry services, how do you establish if it is part of a legit series of transactions from a customer to a clothes cleaning services, a small fish funneling money to his savings account abroad in order to avoid taxes or just a part of a large fish laundering petty crime money through multiple agents on both ends of the transaction in order to finance terrorist groups? Well you can't without investigating the transactions.

    5. Re:"Third-party" seems to be the crux here. by EzInKy · · Score: 1

      The same way they investigated such transactions before there were electronic payments?

      --
      Time is what keeps everything from happening all at once.
    6. Re:"Third-party" seems to be the crux here. by EvilAlphonso · · Score: 1

      Which is exactly what they are doing with electronic payments... opening a bank account has pretty much always (in my lifetime) required a piece of identification and a proof of address, which triggered a Due Diligence routine (is it a real/legal piece of ID, does it match the information given to us by the customer, is it the same person, ...), questions about the source of the funds once it crossed a certain threshold and regular scans against sanctions lists.

      The only major differences are that the lists are now digital and updated at least daily, the scans are now fast enough that the customers are checked daily against those lists, the regulations are also being adapted faster to follow the evolution of money laundering techniques and there is international cooperation on money laundering matters. Just because the transaction is now happening online doesn't exclude it from the existing regulations on financial operations.

      As I am working in direct contact with AML regulations on a daily basis, I can tell you that we're currently only expected to block and report the big fishes... basically the persons with multiple positive hits in sanction lists. Well, those and transactions to/from embargoed countries (legal requirement) or high risk countries (risk management decision from the company).

  9. I noticed by slazzy · · Score: 1

    I already noticed when I got my credit card bill years ago with a ton of fraud charges. My situation might have been unique as I'd never used my Amex card (being in Canada, there aren't a lot of places that take it). They told me they already knew that I had been a fraud victim and reversed all the charges without be having to do anything.

    --
    Website Just Down For Me? Find out
    1. Re:I noticed by Black+Parrot · · Score: 1

      (being in Canada, there aren't a lot of places that take it)

      What's Canada got to do with it?

      --
      Sheesh, evil *and* a jerk. -- Jade
    2. Re:I noticed by Anonymous Coward · · Score: 0

      Have you ever tried spending Canadian Tire Dollars in the US? It's the same kinda thing, American Express is not widely accepted outside of America...

  10. Not their fault! by aglider · · Score: 3, Funny

    They ran out of gas!
    Th -- they had a flat tire!
    They didn't have enough money for cab fare!
    Their tux didn't come back from the cleaners!
    Some old friend of theirs came in from out of town!
    Someone stole their car!
    There was an earthquake!
    A terrible flood!
    Locusts!
    Hackers!

    IT WASN'T THEIR FAULT, THEY'VE SWORN TO GOD!

    --
    Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
  11. "third party service provider" by l0n3s0m3phr34k · · Score: 5, Interesting

    Whomever this company is needs to be named. TFA mentions that this is the same data Affinity Gaming reported, and now their suing the ITSEC corp Trustwave whom they hired to contain the breach since Trustwave failed and Affinity got hit again. This article says that it was a breach of the card processing system used for non-gambling (hotel, food, etc) purchases, so it appears this "third party" is a credit card processor that sits in between Affinity and AMEX.

    I'm betting AMEX isn't the only card company hit in this, but there are so many data breaches unless you work in credit card ITSEC you probably don't keep good enough track of it all to tie it all together. It could be CK Systems, they are a CC processor that got hit in 2013.

  12. Do you hear that? by Rain2 · · Score: 1

    Woosh...

    1. Re:Do you hear that? by EvilAlphonso · · Score: 1

      It should be in 2 pica to represent how far above his head it was :)

  13. Can anyone say... by Anonymous Coward · · Score: 0

    Class action suit? Sue the bastards!!!!!!!!!!

  14. I received the letter by Blinkin1200 · · Score: 1

    Amex sent me the letter regarding the breach. After seeing they wanted me to closely watch my account activity for the next 12 to 24 months, I concluded I it was more effort than I was willing to expend. I contacted Amex to get more information regarding the breach. They, understandably, would not / could not offer more information and stated there is an ongoing investigation. After telling the nice lady their recommendations were more than I was willing to do, I asked for a replacement card. It was either a new card or I was willing to zap the chip, cut the card and put it into a drawer for the next two years.

    These companies that do not provide sufficient security should be burnt to the ground. We could start with every other Home Depot to set an example.