This morning, a close friend of mine pointed me to some interesting documents on the American Express website. These documents seem to be leaking sensitive information including detailed activity for a corporate purchasing card.
The documents clearly show the amounts, the specific merchants, dates, and places where the transaction was made and more. The documents include a complete Microsoft Office Excel breakup of the charges, with account numbers and other details. These documents were not password protected or on a protected website, they were completely in the open, no authorization needed.
We notified American Express of these details of via their online contact form (which is available after you log into their system), at approximately on June 7th, 2010, at 9:17 AM PDT. The files were still available on the American Express website as of June 7th, 2010, at 9:28 AM PDT.
We’re curious if these are fake documents deliberately put out on the site. If they are, it would be interesting to know why they have chosen to do so.
We hope someone at American Express will take notice of this important issue. As previously mentioned, American Express was contacted prior to this posting. (Edit: See the reply from American Express below.)
The reply from American Express:
Thank you for your email.
I have forwarded your comments regarding this situation to our concerned department, so that they may look into this issue. During this review, we may contact you if additional information is required.
Be assured that the feedback we receive from Card members plays an important role in enhancing your customer experience
We take our Cardmembers’ security concerns very seriously. We hope that if you suspect the legitimacy of an e-mail you receive in the future, you will forward a copy to us, so we can investigate it for you.
We very much appreciate your vigilance on our behalf. If we can be of assistance to you in the future, please contact us.
We value the relationship built with you and we hope that you will continue to allow us to meet your Card needs for many more years.
Have a wonderful day!
Update: American Express replied on June 7th, 2010, at 9:51 AM PDT.
Obfuscated screenshot below:
Update: Screenshot removed.