A data dump by hacktivists called Anonymous Ukraine, which triggered American Express to notify nearly 77,000 California residents of potential exposed information, is posing a public relations challenge for the card brand even though it says its internal systems were not breached.
"It's not their fault, but the unfortunate thing is that consumers don't understand the nuance between data breach and data dump so when their cards are reissued it does have an impact," says Julie Conroy, research director and fraud expert with Aite Group. A data dump is the publication of a massive amount of collected data, which could have been obtained through card skimming or through attacks on merchant systems.
About three months ago, Anonymous Ukraine took credit for exposing 7 million records, with varying levels of consumer information including account numbers, card expiration dates and security codes.
"Some of the accounts had already been closed or the cards had already expired and been renewed," says Marina Norville, a spokeswoman for Amex. "Some of [the information] is old, so unlikely to be exploited or used by criminals."
Amex sent letters to the individuals affected, 76,608 which were California residents. The California Attorney General's office posted a letter Amex sent to it about the steps the New York card company took after the data dump.
Amex would not disclose how many letters it sent nationally. It did not have to reissue cards to any customers, says Norville. But Amex is offering affected customers one year of its account and credit monitoring service for free.
Amex "has more conservative notification processes than others," Norville says. Amex "is sending notifications out; it doesn't seem like other issuers are doing the same."
Anonymous Ukraine also leaked Visa, MasterCard and Discover information, according to reports.
"The cumulative impact on consumers hearing about all these breaches I don't think it has an impact on credit cards," says Avivah Litan, vice president and distinguished analyst at Gartner Inc.
Litan says credit growth has been steady, but e-commerce volumes may suffer due to these breaches.
"But that's usually the reaction consumers have," Litan says. "[Online commerce] won't decline but it won't grow as quickly."
While big brands are increasingly in the news due to data breaches, Conroy says this particular dump is a "drop in the bucket compared to other breaches we've seen [over the past] year."
During the holiday season last year, Target suffered a massive breach affecting 40 million payment cards. Soon after, Adobe suffered an even bigger breach that affected up to 163 million accounts. And last month, an eBay database that contained encrypted passwords and other user information was attacked. EBay asked all its users to change their passwords.