Nearly three months after Anonymous Ukraine claimed to expose roughly 7 million records, American Express has penned a letter to the California Attorney General's office saying that it will send breach notifications to 76,608 residents in the state affected by the disclosure.
In accordance with California Civil Code s. 1798.29(e) and Calif. Civ. Code s. 1798.82(f), requiring companies to notify customers of breaches, Amex completed an incident reporting form, stating that it was informed by law enforcement, identified in the filing as the U.K. National Crime Agency, that several large files containing personal information were posted on internet sites...”
The records, the notification said, “contained varying data elements” that prompted the payment card company to notify, via mail, “58,522 California residents whose names and corresponding [American Express] account numbers were involved.”
The company also identified “additional card account information pertaining to 18,086 California residents” that was exposed, even though California law does not require it to do so, since customer names were not revealed in the dump.
Initially there was speculation that the records exposure was not actually orchestrated by Anonymous and that the data seemed dated, but Amex's letter to the California OAG refers to the hackers as “claimed members of ‘Anonymous'.” The alleged members of the hacktivist group posted some of the information on Pastebin, followed by a release of data on Twitter.
The group said it published the records to protest the U.S. government and its perceived manipulation of the financial markets.
"After the USA showed its true face when she unilaterally decides which of the peoples to live independently and who under the yoke of the Federal Reserve, we decided to show the world who is behind the future collapse of the American banking system," the group said in a Pastebin post that has since been removed, but was published by Wired.
In its notification letter to California residents, American Express says, “At this time, we believe the recovered data may include your American Express Card account number, the card expiration date, the date your card became effective and the four digit code printed on the front of your card.”
The company also offered assurances that the Social Security numbers of customer were not impacted in the incident.
As part of the records dump, Anonymous Ukraine included records from Visa, MasterCard and Discover. Risk Based Security analyzed the group's data dump on Twitter and said it included 6,064,823 new cards, with 668,279 belonging to American Express, 3,255,663 to Visa, 1,778,749 to MasterCard and 362,132 to Discover.