Discover and American Express often submit copies of their breach notification letters to cardmembers to state attorneys general. Their letters, however, generally do not include the name of a breached merchant, so it is often difficult to know what to make of their submissions. But one particular American Express notification, submitted to California last week, caught my attention. Their letter states:
A company that provides payment processing services to numerous merchants has informed us that there has been unauthorized access to its processing system. As a result, account information of some of our Cardmembers, including some of your account information, may have been improperly accessed.
The breach occurred on January 15, according to the date American Express reported to California. But which payment processing services provider and what happened – and when did the provider discover the breach? AmEx reported to California that the breach was discovered on August 23, but I suspect this means that they first learned of the breach on August 23 and that is not when the breached entity learned of the breach.
From the filename AmEx used for its notification letter (“Celerant-C2013068451%20CA%20Customer%20Letter_0.pdf”) and the description saying “Celerant customer letter” (see screen shot taken from the California Attorney General’s web site), the breach appears to have been at Celerant Technology Corporation:
Celerant is a certified provider of retail payment processing software. On its web site, it states:
Celerant offers a multichannel, retail software solution for numerous retail industries, including apparel, footwear, sporting goods, furniture, specialty, gifts, convenience and more. With over 450 clients primarily within the United States, Canada, Europe and the Middle East, our retail system provides an all-in-one solution for retailers selling via brick and mortar stores and on the web.
DataBreaches.net has sent two emails to Celerant since Friday requesting confirmation and information on the breach, but has received no response as yet. I will provide an update when more information becomes available.