Back on June 20, 2012, GoTickets.com notified the California Attorney General’s Office of a breach that reportedly occurred between May 22 and May 30, 2012. In their sample notification letter submitted to the state, they wrote:
We were recently made aware that certain payment card information used on our www.gotickets.com website may have been exposed. We are notifying you that the payment card you have on file with us (name of card and last four digits) may have been affected by this situation.
We are taking appropriate precautionary measures to ensure that this situation is resolved and to help alleviate concerns you may have.
What Happened?
Pending the final results of our investigation, it appears that an unknown, outside group or individual improperly accessed www.gotickets.com’s database possibly exposing some of our customers’ sensitive information, including shipping, billing and credit card data related to purchases made through www.gotickets.com. We believe this improper access occurred on or around May 22 and May 30, 2012.
Although we are not certain that your sensitive information was affected, as a precaution, we are advising you to keep a close eye on this account’s activity.
[…]
Okay, but now I find that American Express Travel Related Services notified the California Attorney General’s Office on November 6, 2012 about a breach that occurred on November 6, 2011. In their sample notification to their customers, AmEx writes:
American Express is strongly committed to the security of all our Cardmembers’ information and wants to inform you that a merchant where you have used your American Express Card for payment detected unauthorized access to its data files.
At this time, we believe the merchant’s affected data files included your American Express Card account number, your name and the expiration date on your card. Importantly, your Social Security number is not impacted and our systems do not show any indication of unauthorized activity on your Card account related to this incident.
Note that AmEx doesn’t name the merchant and doesn’t mention that the breach occurred a year ago (unless that’s a typo on AmEx’s part when it submitted the incident to California). But their filename for this report is “Pages from GoTickets com-C2012065270 CA AG Letter.pdf”
So… was GoTickets.com’s breach worse than what they reported in June 2012, or is this a newly discovered older breach, or some mistake on AmEx’s part?
I’ve emailed GoTickets.com and will update this post if/when I get an answer.