American Express customers receiving new breach notifications

Customers of American Express are starting to get a new round of breach notification letters. This time, the letters (mostly identical in wording) are due to two separate incidents, but the full impact is unclear – as the exact number of customers set to receive these notices isn’t known.

For those keeping score: American Express has now had to issue three different notification letters this month, in order to address three different data breaches.

White Lodging Services:

In one letter, the customer is warned that their American Express account number, name, and other card information, such as expiration date, were exposed after someone accessed a merchant’s systems without authorization.

“Importantly, your Social Security number was not impacted and our systems have not detected any unauthorized activity on your Card account related to this incident,” the notice goes on to explain.

I was one of the customers notified by this letter, and given that my American Express card is only used selectively, I immediately started checking hotels and rental car locations.

The lack of information in the notice isn’t helpful at all. It’s only because the American Express I carry sees very little usage that I knew where to start looking.

I had my suspicions, but I checked the usual places for breach notices. On the California Attorney General’s Office (OAG) website, I discovered a sample of the same letter that arrived at my door on Thursday.

The filename on the sample letter listed by the OAG references White Lodging Services, a hospitality company that confirmed reports of a data breach earlier this year. As it turns out, I did use my card at one of their properties. Yet, it’s taken until June to get my letter of notification.

In February, White Lodging confirmed that attackers had gained access to credit and debit card data, and maintained access from March 20, 2013 until December 16 that same year.

The company is the property manager for various hotels including, Courtyard, Marriott, Holiday Inn, Hampton Inn, Westin, Residence Inn, Renaissance, Sheraton, Embassy Suites, Fairfield Inn & Suites, Hilton, and others.

According to the company, the breach in 2013 (detected in January 2014), took place at hotels in: Austin, TX; Boulder, CO; Broomfield, CO; Chicago, IL; Denver, CO; Erie, PA; Indianapolis, IN; Louisville, KY; Merrillville, IN; Plantation, FL; and Richmond, VA.

When asked about the breach notification letters, a company spokesperson directed Salted Hash to the press release on the breach and its FAQ section.

Anyone who traveled in 2013 and stayed at one of the aforementioned hotels in the listed locations should check the company’s record to ensure they’re not at risk.

Createthe Group:

The second notification letter going out to American Express customers concerns an incident at Createthe Group. It’s worded exactly the same as the other letter, including the types of information compromised. Likewise, the link between breach and notification is previous public statements and the file name on the sample letter submitted to the OAG.

Createthe Group is an upscale agency that represents top-tier luxury, fashion and retail clients. They work with many familiar brands, including Burberry, Calvin Klein, H&M, Hugo Boss, Louis Vuitton, Tommy Hilfiger, and more. Fashion isn’t their only game though, as they also represent Harrods, Hennessy, News Day, Vimeo, The Economist, and Lifetime Network.

In March of this year, fashion publications started reporting that Createthe Group was investigating a breach involving a number of their clients, and their now-retired CTS platform.

According to the company:

“Commerce Technology Solutions’ CTS Platform is the next generation digital commerce platform that delivers Creative Commerce Without Constraints, enabling brand-centric retailers to create unique commerce experiences across channels, deeply connect with their consumers, differentiate from competition and drive significant ROI.”

At the time, those covering the incident immediately suspected that the CTS platform was the root cause of the breach.

This speculation was somewhat confirmed, after a company spokesperson said that they had “proactively engaged Pen Test Partners, [and] an approved PCI Forensic Investigator company, to conduct a comprehensive examination to ensure that there has been no intrusion to the CTS Platform and to support the ongoing security of the CTS Platform.”

At the same time, the same statement also noted that the CTS platform would be retired, as the company was exiting the e-commerce business for a number of reasons including the “saturated nature of the e-commerce platform market and the allocation of time, resources and funding necessary to assure that CTS Platform remains cutting-edge…”

Salted Hash has reached out to Createthe Group for additional information. This story will be updated should they respond, as no one was available on Thursday evening.

However, given that American Express is warning customers and submitted a letter with the Createthe Group’s name to the OAG, it’s clear that something happened. But, as was the case with the other breach, the number of customers impacted remains unknown.

In related news, American Express said earlier this month that 76,608 people in California would get a breach notification letters after some of their data was published by Anonymous Ukraine earlier this year.

Salted Hash has reached out to American Express for comment on these latest notifications, and will update should they respond.