Cyber Incident Victim: Banamex
Date:
Jan 2021
Location:
Mexico
Summary
A threat actor leaked data of 10,000 American Express credit cardholders, exposing account numbers and personal information including names, addresses, phone numbers, dates of birth, and gender, while claiming to possess additional Mexican banking customer data from institutions including Banamex for sale. The exposed information lacked sensitive financial details like expiration dates or passwords, with the actor stating the data was intended for spam or marketing purposes. American Express acknowledged awareness of the incident, emphasized cardholder protections against fraudulent charges, and advised vigilance against potential phishing attempts leveraging the compromised personal details.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On January 5, 2021, a threat actor publicly leaked data belonging to 10,000 Mexico-based American Express credit cardholders on a hacker forum, offering the information for free. The leaked dataset included full American Express account numbers alongside customers' personally identifiable information (PII), such as names, full addresses, phone numbers, dates of birth, and gender. The actor simultaneously advertised the sale of additional data purportedly belonging to customers of Mexican financial institutions, explicitly naming American Express, Santander, and Banamex as affected entities. Analysis by BleepingComputer confirmed the absence of credit card expiration dates, passwords, or highly sensitive financial details in the leaked sample, which limited immediate risks of fraudulent card transactions. The threat actor claimed their intent was to enable spam or marketing activities rather than financial fraud, stating they did not sell passwords, card information, or ID numbers. American Express acknowledged awareness of the incident but neither confirmed nor denied a breach, emphasizing existing fraud monitoring systems and cardholder protections against liability for unauthorized charges.
The incident exposed affected customers to heightened risks of targeted phishing campaigns, as attackers could leverage legitimate PII and partial card details to craft convincing fraudulent communications. BleepingComputer verified the authenticity of the 10,000-record American Express dataset but did not independently confirm the availability or legitimacy of the additional Banamex or Santander data advertised by the threat actor. American Express advised cardholders to monitor account statements for suspicious activity and remain vigilant against phishing attempts that might reference accurate personal or card details. No public statements from Banamex or Santander regarding the incident were included in the report. The leak underscored operational challenges for financial institutions in mitigating post-incident fraud risks when partial customer data becomes publicly accessible, even without full financial compromise.