American Express issues alert after Anonymous dumps cardholder data

In a letter to the California Attorney General’s Office (OAG), American Express says that 76,608 people in the state will get a breach notification letter after some of their data was published by Anonymous Ukraine earlier this year.

In March, Anonymous Ukraine released more than 7 million records as part of a protest against the financial firms that helped “enslave” people the world over.

“After the USA showed its true face when she unilaterally decides which of the peoples to live independently and who under the yoke of the Federal Reserve, we decided to show the world who is behind the future collapse of the American banking system,” Anonymous Ukraine supporters wrote at the time.

In all, they released 3,255,663 records from Visa; 1,778,749 records from MasterCard; 362,132 record from Discover; and 668,279 records from American Express. To date, only American Express has taken notification steps.

Experts who examined the data, noticed immediately that it was outdated, speculating that Anonymous Ukraine wasn’t the original source despite their claims. Regardless, the data was real enough to force American Express to initiate their notification process.

In a letter to the California OAG, the financial firm says that more than 58,000 residents will be getting a letter via the US Postal Service about the incident.

“AXP was informed by law enforcement that several large files containing personal information were posted on internet sites by claimed members of “Anonymous,” a worldwide hacking collective. The source(s) of the posted data is/are not currently known. The posted records contained varying data elements, but AXP has identified, and is providing notice via mail to, 58,522 California residents whose names and corresponding AXP account numbers were involved,” the company’s letter to the OAG explained.

[Edit 6/19/2014: The OAG removed the letter from their website. An archived copy is available on Google and on Archive.Today]

In addition, American Express says that 18,086 other residents also had their data leaked by Anonymous Ukraine, but since their names were not released they’re exempt from notification under California Civil Code s. 1798.29(e). But despite that fact, they’re also planning to send letters to those customers as well, which is why the state’s total was pushed over 76,000.

In the letter to customers, American Express said that they’ve placed additional fraud monitoring on the individual’s account, reminding them that they are not liable for any fraudulent charges.

The letter goes on to offer additional information on how to obtain free credit reports, and provides a toll-free number to call for questions.

“We are strongly committed to the security of our Cardmembers’ information and strive to let you know about security concerns as soon as possible,” the customer letter states.

“At this time, we believe the recovered data may include your American Express Card account number, the card expiration date, the date your card became effective and the four digit code printed on the front of your card. Importantly, your Social Security number was not impacted and our systems have not detected any unauthorized activity on your Card account related to this incident.”

American Express credited the UK National Crime Agency as the law enforcement agency responsible for bringing the leaked data to their attention.

Information on the number of customers outside of California who were impacted by the Anonymous Ukraine leak, wasn’t available Sunday evening. CSO has been in contact with American Express and will report those additional figures as we get them.