American Express Cardholders’ Personal Information Stolen by Insider

One former employee of American Express has taken its slogan, “Don’t Leave Home Without It,” to a new extreme.

Not only did he or she feel (presumably) obligated to carry his (or her) own card (assuming he or she was a cardholder), but also this ex-employee stole account information of other cardholders, so that the don’t-leave-home-without-it security blanket of one’s own card might be multiplied by that of all the other people’s cards whose information this ex-employee stole.

Unfortunately, for the ex-employee and fortunately for all the other cardholders, this scheme was uncovered and the ex-employee caught. (Question: was the ex-employee still actively employed by American Express at the time he or she was caught?)

Today, some American Express cardholders received a letter with the not-very-encouraging opening sentence:

“I am writing to inform you of an unfortunate issue concerning your American Express Card.”

American Express then explained what it meant by an “unfortunate issue”:

“We recently learned that certain account data was acquired without authorization by an employee who is no longer with the company”

Translation to plain English: when the former employee “acquired” “account data” “without authorization” he or she stole personal information of American Express customers which might be used to fraudulently charge their cards.

According to American Express, the rogue ex-employee stole data stored on the magnetic stripe on the back of the customers’ American Express card:

  • the card holder’s name,
  • account number,
  • card’s expiration date,
  • PIN number
  • card holder’s state of residence, and/or
  • card holder’s residence zip code.

American Express’s bad-news letter, apparently searching for a silver lining, stressed that the card holder’s social security number was not among the stolen information.

In a telephone call with American Express today, a representative named Patty,  gave more information:

  • The alleged perpetrator was arrested in Phoenix, Arizona on June 24th, 2009.
  • The stolen information was downloaded to a laptop computer.
  • The case is being prosecuted in federal court, not state court.
  • Identifying information about the perpetrator (i.e., name, gender, position at Amex when in its employ, job position, title and his or her responsibilities) was not available to the American Express representative with whom I spoke.
  • Amex has hired an outside security firm to assist it in dealing with this case (it is not clear who that outside firm is or what it is doing for American Express, but, but Amex has definitely hired somebody to do something).

American Express’s representative stated today that the number of accounts which were affected by this security breach and theft was unavailable.

Later in the same conversation she said that “very few” accounts were affected. But still, the American Express representative did not have any more detailed information to describe how many affected accounts qualified as “very few.”

Internet searches for additional information about this security breach have yielded nothing, so far. Searching the website of the United States Department of Justice for the US Attorney’s Office in Phoenix also showed nothing. No press releases regarding arrests, arraignments, indictments or anything else.

The House (Probably) Can Tell Us Which Bailout Recipients Owe the IRS — And Should

One has to wonder if the House Ways and Means Committee’s subcommittee on oversight got it right when it told reporters that it could not legally release the names of the companies who received bailout money while owing back taxes, two of which owe more than $100 million each. (See Associated Press article, “Some Getting Bailout Cash Owe Millions In Back Taxes,” in the New York Times on 3/20/2009 A19 col. 6.)

Ordinarily, a taxpayer’s tax information, whether it is an individual or a business, is treated as very private, very secret. In fact, IRS employees can be, and are, fired, criminally charged, convicted, and sentenced for the Unauthorized Inspection of Tax Return Information or Accessing of Tax Account Information.

But, when a taxpayer is late in paying a tax bill, these super-strong privacy rules don’t fully apply anymore.

Continue reading