American Express Cardholders’ Personal Information Stolen by Insider

One former employee of American Express has taken its slogan, “Don’t Leave Home Without It,” to a new extreme.

Not only did he or she feel (presumably) obligated to carry his (or her) own card (assuming he or she was a cardholder), but also this ex-employee stole account information of other cardholders, so that the don’t-leave-home-without-it security blanket of one’s own card might be multiplied by that of all the other people’s cards whose information this ex-employee stole.

Unfortunately, for the ex-employee and fortunately for all the other cardholders, this scheme was uncovered and the ex-employee caught. (Question: was the ex-employee still actively employed by American Express at the time he or she was caught?)

Today, some American Express cardholders received a letter with the not-very-encouraging opening sentence:

“I am writing to inform you of an unfortunate issue concerning your American Express Card.”

American Express then explained what it meant by an “unfortunate issue”:

“We recently learned that certain account data was acquired without authorization by an employee who is no longer with the company”

Translation to plain English: when the former employee “acquired” “account data” “without authorization” he or she stole personal information of American Express customers which might be used to fraudulently charge their cards.

According to American Express, the rogue ex-employee stole data stored on the magnetic stripe on the back of the customers’ American Express card:

  • the card holder’s name,
  • account number,
  • card’s expiration date,
  • PIN number
  • card holder’s state of residence, and/or
  • card holder’s residence zip code.

American Express’s bad-news letter, apparently searching for a silver lining, stressed that the card holder’s social security number was not among the stolen information.

In a telephone call with American Express today, a representative named Patty,  gave more information:

  • The alleged perpetrator was arrested in Phoenix, Arizona on June 24th, 2009.
  • The stolen information was downloaded to a laptop computer.
  • The case is being prosecuted in federal court, not state court.
  • Identifying information about the perpetrator (i.e., name, gender, position at Amex when in its employ, job position, title and his or her responsibilities) was not available to the American Express representative with whom I spoke.
  • Amex has hired an outside security firm to assist it in dealing with this case (it is not clear who that outside firm is or what it is doing for American Express, but, but Amex has definitely hired somebody to do something).

American Express’s representative stated today that the number of accounts which were affected by this security breach and theft was unavailable.

Later in the same conversation she said that “very few” accounts were affected. But still, the American Express representative did not have any more detailed information to describe how many affected accounts qualified as “very few.”

Internet searches for additional information about this security breach have yielded nothing, so far. Searching the website of the United States Department of Justice for the US Attorney’s Office in Phoenix also showed nothing. No press releases regarding arrests, arraignments, indictments or anything else.

Did you like this? If so, please bookmark it,
tell a friend
about it, and subscribe to the blog RSS feed.

2 thoughts on “American Express Cardholders’ Personal Information Stolen by Insider

  1. Allan – write to – there is a inside track that can get you to Phoenix people who do have more information. American Express notoriously buries any of its data breach information from the search engines. They have Seth Godin on board as one of their tactical marketing strategies, so that is exactly why you will find minute amounts of info regarding the incidents.

    AXP naturally isn’t going to say very much about it because the lax internal security. Also very ironic is the fact AXP was the instigator in the PCI DSS realm but does not adhere to what they enforce on merchants. If I was a merchant, I would be mad as hell to know that I am responsible for implementing a security program and paying for what the card companies ARE NOT SUFFICIENTLY doing themselves.

    Clearly Timothy Culey (do a Google search on that – Timothy J. Curley, aged 43) had godlike access to a pool of bounty. What they really wanted to keep out of the news is that he was a crystal meth user, too.

    It is all gravy any way you look at it. There is nothing you can do. It is a company of lawyers, Warren Buffet and the most (over) paid CEO in the world.

Leave a Reply

Your email address will not be published. Required fields are marked *