It’s Not Supposed to Work Like This
Michael Winerip of The New York Times recounts the experience of an AmEx customer who logged into his new American Express business credit card account account online only to discover he had accessed a stranger’s account:
“I could see all her personal information,” said Mr. Goldstein, who was both transfixed and fearful that he had instantaneously become a criminal. “I could see her name, address, e-mail. I could see what banks she’s with. I saw her recent shopping activity, recent payments, where she’d rented a car. She had an affinity account with a hotel chain, Starwood. I could see how to order an additional card. I could add an authorized user: me. I could change her billing address.”
He had a tough time getting through to anyone at AmEx who might care about security and privacy. After numerous phone calls and after three weeks of trying to get the company to look into the problem, he finally got a response.
Amex called the problem “an unusual case of two customers coincidentally having nearly identical log-in information, which led one card member to inadvertently log in to another card member’s account.”
“Our site remains secure,” she said.