American Express told the California Attorney General’s office last week that 76,608 of its California customers are being notified that their credit card information has been released online by hackers.

The breach was in March and was just a small part of a much larger release of 7 million records from AmEx, Visa, MasterCard and Discover customers nationwide blamed on Ukraine Anonymous. Three months later, only American Express has begun the notification process.

At the time of the breach, analysts said it appeared that much of the information was old and gleaned from previous known releases of hacked data. Although some early scouring of the records reportedly turned up 4,000 instances of Social Security numbers, pins, birth dates and other critical user data, by and large the records were said to be restricted to more mundane information, like card numbers, expiration dates, routing information and full names.

The release came in two stages; archives with 1 million records were followed up shortly by four more archives with 6 million records. Visa cards made up the bulk of the second release, 3.3 million records, followed by MasterCard (1.8 million), American Express (688,279) and Discover (362,132), according to DataLossDB.

The release was accompanied by some bragging and a threat from Ukraine Anonymous, according to InfoSecurity, which cited a posting from the group on pastebin, a tool for publishing less-than-permanent text:

“For 15 years we have destroyed your economy and banking system, gradually increasing the U.S. national debt. That crash which came thanks to America happens to us. After the USA showed its true face when she unilaterally decides which of the peoples to live independently and who under the yoke of the Federal Reserve, we decided to show the world who is behind the future collapse of the American banking system. We own all the financial information of the Fed. And even more than you think.”  

After the anti-American hacktivist group absolved Americans and their elected representatives of responsibility for the Great Recession and the sorry state of capitalism, some analysts downplayed the dump. “Mostly, it's an intimidation tactic or a group trying to gain notoriety,” CSIRT Director Michael Smith at Akamai Technologies told BankInfoSecurity.

But not everyone was buying the story that the hacktivist group had targeted Americans and discomfited Californians. Just a few days after the breach became known, John Leyden at the British technology news website The Register wrote that some signs pointed to a frame-up by Russians trying to make their Ukrainian adversaries look bad.

There was no announcement of the release from Ukrainian Anonymous on their usual social media accounts, including Twitter, and a Russian-language website appeared to be the first forum that it appeared on.

Crossfire or not, Californians caught in the tangle are being told by American Express they will get the standard considerations extended to the growing number of people whose identity and assets have been compromised by data breaches. They won’t have to pay for any goods charged to their breached cards, they will receive free credit checks for a year and their accounts will receive additional scrutiny going forward.

–Ken Broder

To Learn More:

Anonymous Posts AmEx Card Data (by Jeffrey Roman, BankInfoSecurity)

American Express Issues Alert after Anonymous Dumps Cardholder Data (by Steve Ragan, CSO)

Potential 7 Million Credit Card Details Leaked (DataLossDB)

American Express Warns California Residents of Data Breach (InfoSecurity)

Did Russians Frame Ukrainian Hacktivists for Alleged Leak of 7 Million Credit, Debit Cards? (by John Leyden, The Register)