American Express Keeps Emailing Sensitive Customer Info To A Random Stranger

We’re starting to think Amex doesn’t take this whole “data security” thing very seriously. First they confused a customer, and us, a few months ago with their random confirmation phone call, where they demanded a customer turn over bank account information over the phone without giving him a way to verify they were really Amex. Now a reader says the company has “for years” been sending him someone else’s account info via email, including the customer’s name and the last 5 digits of his account number. J.R. writes, “Seriously, I’ve seen better security on a video game forum.”

For years, American Express has flooded my inbox with emails intended for one of their customers (who gave them my address by mistake).

These emails contain sensitive data, including the customer’s name *and last five digits of his account*.

Get this: American Express doesn’t send out email verification letters!

I could tell you the whole sad, scary, hilarious story if you want me to, including the bit where the superior of a superior I finally talked to told me flat out that, “American Express does not email its customers the last five digits of their account,” and then sat in awkward silence as I *quoted him back his own company’s email*.

I just wanted you to know that customers of American Express may have their sensitive data compromised, and that AmEx makes this damn near impossible to report a case like this and then does absolutely nothing about it.

Seriously, I’ve seen better security on a video game forum.

(Photo: RobotSkirts)

Comments

Edit Your Comment

  1. aja175 says:

    Wow, that’s a pretty big security issue. Chances are they don’t have a set way to handle that. If you can’t get the CSR to action the issue request a supervisor. They will know how to work around a process that doesn’t exist.

    • CubeRat says:

      @aja175:

      I don’t know, it sounds like he already went to a superior of a superior and still could not get anything resolved.

      Makes me wonder why the superior lied (or any CSR) when they know if they are found out they will just look like a jackass.

  2. sanjsrik says:

    Amex put that little chip in my blue card, which is insecure, so I called up customer service, who literally laughed at me when i informed them of the insecurity of the said chip. I said I wanted a card that didn’t have a chip, they claimed they didn’t make one any more. however, I found an article that said Amex execs agreed to send out a non-chip card to anyone who requested it. Of course, the CSR (what a surprise) had never heard of that agreement.

    According to them, they can “disable” the chip remotely. Makes me feel so much better.

    • Shappie says:

      @sanjsrik:

      Couldn’t you take a nail and hammer and ‘disable’ it yourself?

      • sanjsrik says:

        @Shappie:
        yeah, I can see the next time I try to use the card (which for the last month has been zero times), but I don’t think anyone would accept the card with a smashed chip on it.

      • t0ph says:

        @Shappie: I seem to remember reading a few years back that people were taking a hammer to the new US Passports, as they had some chip or RFID or something to that effect.

    • Trickery1 says:

      @sanjsrik: The chip is an RFID chip that cannot be disabled remotely. They might be able to stop it from being used, but your info is still broadcasting from that chip. Call the Card Replacement Unit (800-922-3404) and ask the rep to send a card without the chip. It is possible, but rarely is it asked for. Ask for an account manager if they don’t know what your talking about.

      Either that, or go at it with a nail and hammer! That’ll do the trick! ;)

    • clint07 says:

      @sanjsrik:What security issues are there with the Amex chip? I’ve never dealt with the Amex cards themselves but work with smartcards and if it was just a contact chip, presumably requiring a pin, it should have been rather secure (Moreso than a credit card number alone).

      That is unless you are talking about the newer contactless (RFID) chips. Those do have legitimate security issues.

    • Eyebrows McGee (now with double the baby!) says:

      @sanjsrik: They don’t do the non-chipped cards anymore, but they will “disable” the chip — the chip has a different number (or code or whatever) than the card and if someone tries to use the chip number, it’ll be flagged as fraud.

    • Velifer says:

      @sanjsrik: My cards that came with RFIDs in them all got the hole-punch treatment. On rare occasion, a cashier will ask about the hole, then I tell them about how insecure the chips are, and they go and do it to their cards!

      Holey cards are the secret handshake of the security aware.

  3. legwork says:

    While I’m not sure I’d be too worried about my name and 5 digits, it is still weird. Definitely matches the twilight-zone meter with the random security calls mentioned earlier.

    Doesn’t this all come down to the fact that the banks don’t have to care, so they don’t? I mean, they obviously see their adversarial relationship with customers as good business. So without the “assistance” of ground rules, why would we expect them to improve?

    • Anonymous says:

      I wouldn’t worry about the last 5 digits either. I’m not making excuses for amex, but 4 of those last five digits aren’t part of the “real” account number. They indicate whether it’s a replacement card, and a primary or supplemental card. The last one is a check digit. All this according to a thread on flyertalk.

  4. Paladin656 says:

    I would suggest calling and speaking to AmEx fraud or security department. May get someone a little bit more knowledgeable about account security practices than a front line CSR

  5. AstroPig7 says:

    1.) Run your decades of good reputation into the ground by randomly cutting credit lines and generally being dicks.

    2.) Implement lax security and refuse to acknowledge any instances of it.

    3.) Profit?

    • sanjsrik says:

      @AstroPig7:

      Wow, they could be screeners for the TSA.

    • HiPwr says:

      @AstroPig7: I never considered the credit limit on my AMEX card. I suppose there must be one.

      • Beth Gardner says:

        @HiPwr: You probably should. Since I have had AMEX for about a year, with a relatively “low” limit; never a late payment…and they randomly closed my account a couple of months ago based on a 30-day notice from a store credit card from three years ago–which was obviously on my credit report when they originally issued me the AMEX card to begin with–and which has nothing to do with AMEX in any way, shape or form…

        It makes me furious that AMEX feels as if it can play around with people’s credit ratings like that. Oh, and the response when I said that this was going to affect my rating? The CSR had the balls to tell me that “oh, no, it won’t affect your rating because AMEX closed your account.” I have one word for that– BULLSHIT.

        Why don’t more people wonder why AMEX can suddenly afford to pay back the TARP loan when they were in such “dire straits” in 2008? I can see it now–“Oh wait–no bonuses? Let’s screw up some nobody’s chance at getting a mortgage, why don’t we?”

  6. Trickery1 says:

    You can’t really do much with someone’s name and the last 5 digits of a card number. Security isn’t an issue here, the unsolicited e-mails should be the only problem.

    Call them up and ask to be transferred to online services. Those folks may be able to get the e-mails to stop. Otherwise, just mark them as spam and delete them.

    As far as getting a phone call from someone claiming to be American Express, just tell the person that you don’t feel comfortable since they called you, and ask for the name of their department. Call the number on the back of your card and ask for that department.

    Simple! Hope this helps.

  7. macinjosh says:

    I just looked a smattering of emails I got from Amex (bill reminders, statement ready notice). They all have my name and the last 5 digits of the acct #, so I dunno what that superior was thinking

  8. macinjosh says:

    This also reminds me of one of my ex-coworkers receiving someone else’s freq flyer envelopes. He called the airline to tell them they have the wrong address, and they told him they can’t change the info or stop mailing unless the customer himself requests it, for privacy reasons…. even though to continue sending it is more of a privacy breach.

    • sanjsrik says:

      @macinjosh:

      Remember, the companies are not wrong, you’re just not right.

    • Trickery1 says:

      @macinjosh: Most companies, including American Express have a feature to stop mailing stuff to an address on an account that gets mail returned.

      So if you’re getting someone elses mail, do not open it and try to call the company and tell them to stop.Just return to sender any mail that’s not yours, the company will notice that person’s address it wrong and it’ll stop all mailings for good.

  9. Parade of Horribles says:

    I accept credit cards in an industry (Web hosting) at high risk for fraud, and had a high chargeback rate a few years ago before I got better at screening orders. AmEx sent me chargebacks all the time that were intended for other merchants, or had a whole bunch of cardholders’ sensitive information attached as documentation when it wasn’t needed. Once I caught onto patterns of fraud, I tried calling them to report suspicious orders; 80% of the time, they’d refuse to check with the cardholder or even verify that the cardholder phone number I had was correct.

    AmEx’s policies are very buyer-friendly, but they’re a nightmare for merchants and their bad data handling hurts everyone.

  10. Anonymous says:

    Confirmation

    Verify Your Request

    Your Account Number Ending: -12345

    Dear [Consumerist Reader]:

    Did you recently verify your User ID or reset the password that you use to manage your American Express√¢ Card account online?

    If so, you can disregard this email. To help protect your identity online, we wanted to be sure that you had made this request.

    If not, please call us immediately at 1-800-297-1234 so we can protect your account from potential fraud.

    Thank you for your Cardmembership.

    Sincerely,

    American Express Customer Service

    P.S. To learn how to protect yourself on the internet and for information about Identity Theft, Phishing and Internet Security, please visit our Fraud Protection Center at http://www.americanexpress.com/fraudprotection.

    Contact Customer Service View Our Privacy Statement Add Us to Your Address Book

    This customer service email was sent to you by American Express. You may receive customer service emails even if you have requested not to receive marketing emails from American Express.

    Copyright 2009 American Express Company. All rights reserved.

  11. edesignway says:

    One thing I have noticed over the years I have been with Amex… when I am issued a new card, only the last five digits are changed. I have had personal and business cards with them… all all of them, the last five. To me I think it would be pretty easy to use those last five digits in the email for bad use.

  12. SJActress says:

    Amex are absolute idiots and have horrible customer service. I’ve lived at this address for 5 years and they STILL send mail here for the previous house owner. I’ve called them at least once every two months to tell them he doesn’t live here, as well as Return to Sender on each and every piece of mail, and they still don’t get it.

    They SUCK. Stay far, far away.

    • scoosdad says:

      @SJActress: Write “deceased” across the envelope and drop it back in the mail. That may get their attention.

      • econobiker says:

        @scoosdad: Or send a letter requesting a new card in that name (using all of your correct info) and see if they issue it. Publish AMEX’s stupidity on the internet if they do issue a replacement card in that other person’s name to you at your address.

  13. Scott Kursk says:

    A discount broker I worked for would have customer apps with signature, socials, etc faxed to a Tae Kwon Do studio as their fax number was one digit off of another branches fax number. Made the trip over there a couple times. I always laugh when people go on about cyber security when it is faxes that are the most ridiculously insecure forms of communications out there.

    Plus, a dry cleaner accidentally gave out on of our phone number as theirs in their ads etc due to a couple inverted digits and we got numerous calls etc from their back office including ones giving us the “heads up” about surprise audits and inspections. Took them a good year before the calls finally quit coming in.

    • econobiker says:

      @Scott Kursk: A Canadian bank was famously out for faxing customer info to a West Virginia junkyard and not caring until the yard owner sued:

      [www.freerepublic.com]

      My parents home shared a close number to a local restaurant and they ended getting compped a meal a month due to the issue. They even ended up advertising the restaurant on their answering machine message when the message gave out the correct number.

  14. chrisjames says:

    Sounds silly, but I’d suggest an EECB with a CC to a few news tiplines. CSRs may not know anything that’s happening, even a “superior of a superior.” They’re often in separate, disconnected departments in the company, and we all know the problems with outsourcing. Get somebody who can take action in the know, and pepper on a little public disgrace.

    Or just use a filter.

  15. SunsetKid says:

    I have been getting emails for years for someone else’s Wells Fargo account. At one point I even had his name. I have called Wells Fargo several times but they don’t seem to give a damn. This guy seems to be a deadbeat since his account is almost always overdrawn but the latest missive said they just sent him a new debit card so I guess WFB is making money on all the penalties and fees.

  16. EyeintheLAsky says:

    i keep getting what are apparently report cards and status-reports on someone some school seems to think is my daughter (i have NO biological offspring – that i’m aware of).

    i use to write them that she isn’t mine…and i don’t need to know how she’s doing in her studies.
    Now…i remind them to pile-on the organic chemistry, trig and classes in Mandarin. She LOVES the challenge!!

  17. Anonymous says:

    I have the same first initial and last name as my Mom. We both have a Costco Amex, but they are separate accounts, at different addresses, with different phone numbers. Amex has now called me about 10 times regarding a problem with an purchase she made (she typed in the wrong verification code). I’ve told them about 10 times exactly what the problem is, what her correct info is etc. And yet, they keep calling. I suppose it’s lucky in that they’re only calling me, but I shudder to think about how poor their CSR tracking must be, since all that we share in common, as far as Amex knows, it a first initial and last name. Can’t imagine what might be happening to the John Smiths of the world.