A hacker break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.
CorporateCarOnline says: “Trust Us: Your Data is Secure”
The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc. — suggesting that the same attacker(s) may have been involved in all three compromises.
In this case, the name on the file archive reads “CorporateCarOnline.” That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”
I reached out several times over almost two weeks seeking comment from CorporateCarOnline.com. At length, I reached owner Dan Leonard, who seemed to know what I was calling about, but declined to discuss the matter, saying only that “I’d prefer not to talk to anybody about that.”
It’s understandable why the company would decline to comment: Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses. More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts, card numbers that have very high resale value in the cybercrime underground.
Alex Holden, chief information security officer at Hold Security LLC and a key collaborator on the research in this post, said CorporateCarOnline confirmed to him that the data was stolen from its systems.
“While the target is not a household name, it is, arguably, the highest socially impacting target yet,” Holden said. “By its nature, limo and corporate transportation caters to affluent individuals and VIPs.”
Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion, a Web application platform that has become a favorite target of the attackers thought to be responsible for this and other aforementioned breaches of late.
Below are some of the rich and famous whose pick up and drop-off information — and in some cases credit card data — was in the stolen archive. Nearly all of these individual records were marked with “VIP” or “SuperVIP!” notations. Included in quotes are notes left for the chauffeur.
CELEBRITIES
Photo: Keith Allison
LeBron James – Thomas & Mack Center sports arena, athlete entrance, July 22, 2007; “Call Lynn upon arrival.”
Tom Hanks – Chicago Midway, June 19, 2013; “VVIP. No cell/radio use with passenger/prepaid. 1500 W. Taylor Street Chicago, Rosebud, Dinner Reser @8pm”
Aaron Rodgers – Duncan Aviation, Kalamazoo, Mich., June 26, 2010; “Kregg Lumpkin and wife. 3 Bottle Waters. Greg Jennings Foundation.”
LAWMAKERS
-House Judiciary Committee Chairman Rep. John Conyers, (D-Mich.), July 4, 2011, Indianapolis International Airport; “Meet and Greet Baggage Claim. US Congressman. A DFTU situation” [not quite sure what this stands for, but my guess is “Don’t F*** This Up”]
–Sen. Mark Udall (D-Colo.), chair of the Senate Armed Services Committee’s Subcommittee on Strategic Forces. Boston Logan Intl. Airport, Sept. 14, 2009; “Contact if need be Yolanda Magallanes [link added]. Client will have golf clubs with him.”
Other current members of Congress whose information appears in this database include Rep. Joe Garcia (D-Fla.); Rep. Gus Bilirakis (R-Fla.); Rep. Jim Matheson (D-Utah); Rep. Lynn Westmoreland, Rep. Joe Baca (D-Calif.), Rep. Mario Diaz-Balart (R-Fla.).
A number of former lawmakers were passengers with limo companies that gave their customer data to CorporateCarOneline, including:
–Sen. Tom Daschle (D-SD), Des Moines, Iowa, July 21, 2010; “Ag Innovation Committee. Passengers plus luggage. Passengers: Lori Captain, Mary Langowski, Jonathan Sallet, Tom West, Jim Collins, Senator Tom Daschle, JB Penn, Anthony Farina.”
–Sen. John Breaux (D-La.), Aug. 27, 2010; “Ambassador Steven Green & Senator Breaux. ***VIP***DO NOT COLLECT”
–Rep. James Saxton (R-NJ), Rep. William Delahunt (D-Mass.), Rep. Billy Tauzin (R-La.),
TOP EXECUTIVES
–Donald Trump, Wynn Hotel, Las Vegas, Feb. 12, 2007: “Must be new car, clean, and front seat must be clear.”
–Michael D. Grimes, co-head of global technology investment banking for Morgan Stanley. Jan. 30, 2013; “Always wants ‘Michael David’ for name sign. Do not use last name! Always wants inside meet. VIP, co-head of worldwide technology.”
–Bruce Chesley, director, advanced space and intelligence systems, Boeing; LAX, July 5, 2013.
–Josue Christiano Gomes da Silva, chairman and CEO of Companhia de Tecidos Norte de Minas, the largest textile group in Latin America, June 2, 2013: “Cheauffeur meets inside luggage claim with printed name sign. SUPER VIP CLIENT. EVERYTHING MUST BE PERFECT!”
–Patrick M. Prevost, president and CEO, Cabot Corp. June 2, 2013; “SUPER VIP he is CEO of Cabot Corp!”
–Kjeld Kirk Kristiansen and Jorgen Vig Knudstorp, the former and current CEOs of Lego Corp.
AMMO FOR TARGETED ATTACKS?
This database would be a gold mine of information for would-be corporate spies or for those engaged in other types of espionage. Records in the limo reservation database telegraphed the future dates and locations of travel for many important people. A ridiculously large number of entries provide the tail number of a customer’s plane, indicating they were to be picked up immediately upon disembarking a private jet.
Such information would be extremely useful in the hands of nation-state level attackers. For a very relevant and timely example of this, consider the cyber spying story printed last month by Foreign Policy magazine. That piece featured an interview with Kevin Mandia, the chief executive of Mandiant, an Alexandria, Va. based firm that specializes in helping companies defend against cyber espionage attacks. In the FP story, Mandia said he recently was the target of a targeted cyber attack that tried to foist malicious spyware on him via an email with a booby-trapped PDF copy of a recent limo invoice.
“I’ve been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that’s awesome,” Foreign Policy quoted Mandia as saying. According to the story, Mandia only caught the attack when the hackers sent receipts on days when he hadn’t used the car service. “I forwarded them to our security service, and they said, ‘Yup, that’s got a [malicious] payload,” Mandia said.
Incredibly, this purloined limo database may have played a part in those attacks. Among the 850,000+ records in the stolen CorporateCarOnline data are several travel records for Mandiant employees, including Kevin’s. Other Mandiant employees who used limo services via CorporateCarOnline include David Swanson, manager of strategic solutions at Mandiant, and Andrew Williams, a sales account executive. I shared the Mandiant data with a representative for the company, which declined to comment for this story.
TABLOID FODDER
Any two-bit tabloid would have an absolute field day with this database. Simple text searches for certain words (“sex,” “puke,” “arrest,” “police,” “smoking pot”) reveal dozens of records detailing misbehavior and all kinds of naughtiness by executives, celebrities and people you might otherwise expect to behave civilly.
Photo: Arizona Limo Rides
For example, the following is an explanation taken from a limo reservation made back in May 2006 by a woman working for MTV. The limo in question was actually a stretch Hummer with capacity to seat 14 passengers, and was rented for the occasion of visiting a series of wineries in Long Island, NY. When the stretch Hummer returned to the shop after disgorging its passengers, the fleet’s owners discovered that the vehicle had been plastered with cheese slices and crackers, and that someone had left behind a sex toy:
“We would like to apologize for the inconvenience that was caused at the beginning of Your rental and we hope that by giving You 2 hours free of overtime we made it up to You. The power problem was out of our control and could not be foreseen since right before dispatching the car everything was properly working. After the vehicle returned to base we discovered that it was left in a complete mess. Slices of cheese were all over the seats, windows and the bars. On top of that, crackers were left on the floor and seats crushed by people sitting and walking all over it. We are transportation company not a restaurant and we specifically put in our terms and conditions that we do not allow any food in our limousines. Also we do not allow any sexual activities in the car and we have found sex toy while cleaning the car. We have charged your card for cleaning fee of $100 since we had to send limousine to the car wash to get it detailed after all the activities during your rental.”
No food in a limo? Seriously? Not exactly a “party crowd” service, are they? 🙂
I’d really like to see a full list of the celebrities whose data was obtained. 🙂
Hahaha. This is great. Can’t wait to see all the interesting stories that follow.
If they catch him – he is screwed… and not in a good way! 😀
Cheers.
Andrzej
Why would any ‘fodder’ be in a limo record?
“…the data was stolen…”
Thanks for recognizing the concept of collective singular, Brian. I get so tired of reading “data are/were”
I cannot tell you how many “old school” compnaies that are out there that simply don’t get it. They are asking to have their pants yanked down to the floor.
Its not that they don’t have the cash to bring some one in to manage their databases and make sure they are using encryption, its a mindset – they have been doing it this way for YEARS and all has been good, so why change?
It only takes ONE instance of self destruction and the loyal customers – especially the “rich and famous” will probably bail for another service. I guess thats one way for the owners to get a clue and a new business name – If they survive any sort of Class Action suit that shows people have personally suffered loss due to this specific incident.
Geesh. Now a days for payment processors, its simply too EASY to use a 3rd party payment service like paypal. Why bother paying a monthly fee to have a credit card service and then then have to maintain records of all transactions and credit cards. With a 3rd party service, you get the funds, doublecheck its not a ruse by typing the web address in yourself and checking payment. You don’t maintain credit card info, and at worse, you may have a cell phone number or address vice credit card data.
There is a simply cure to something like this, but it towuld have to be on the state level. The state could give a business a tax break; a semi significant one – if they have a 3rd party auditor sign their life away that the specific items on the state provided checklist are certified in place and up to date.
The company applies for the tax break, the state assigns a date range and potentially a list of 3rd party auditors that are certified to perform the task, and the company is notified and have a 3-5 business day window to schedule an appointment and one time shot to pass the audit.
These audits should be available to a business once every 5 years or so at start so its not too much of a burden. It not only helps a business understand security, it helps the state understand that there are businesses still out there operating, and they can adjust their records accordingly.
I know, I know…too much bother, too much planning, no one has time for that. Simply grab the mop bucket and pick up the bits ( 1’s and 0’s) after a spill is ALOT easier.
I could not be more in accord with this thought. I use PayPal whenever the vendor offers it, and provide credit card info only with great reluctance and on occasions when no other choice exists.
I’ve tried to convince others of the value of a PayPal account, but to no avail as far as I know. They really drag their feet about depositing funds in advance, and it’s impossible to make them see the light on the security issue.
Full disclosure: I do not own GOOG presently or in the past. Ralph L. Seifer, Long Beach, California
bump
+1
Correction, please. GOOG should read eBay.
Mayb I do not understand the inside structure of how PayPal works,
but what happens when PayPal gets hacked ?
(Isn’t it always the question of not if, but when ?)
Then they’d probably have made it hard enough for the attackers so that they’ll notice them before they can do much damage.
At least, I’ve heard that they store important data on different servers than those that handle the web, which are only accessible in a certain way etcetera…
And, hopefully for them and their users it’s enough.
Quad-Fail?:
I. “Trust Us: Your Data is Secure” (CorporateCarOnline)
II. Adobe’s Security Notification Service is Opt-In only:
“Security is one of our highest priorities, and Adobe understands that security is important to our customers as well. The Adobe Security Notification Service is a free e-mail notification service that Adobe uses to send information to customers about the security of Adobe products. Anyone can subscribe to the service, and you can unsubscribe at any time. […]” (adobe.com/cfusion/entitlement/index.cfm?e=szalert)
III. “The [U.S. Department of Justice’s] Computer Crime and Intellectual Property Section (CCIPS) […] prevents […] computer crimes by working with […] the private sector […]” (justice.gov/criminal/cybercrime/)
IV. “United States Computer Emergency Readiness Team: US-CERT’s mission is to […] proactively manage cyber risks […]” (us-cert.gov)
BTW: “Chicago, Illinois, July 9, 2001 – 1 800 Limo.com, Inc., of Chicago, Illinois and Nova Business Systems, Inc. of St. Louis, Missouri, have forged a strategic alliance to create a new force in the $6.5 billion livery service business […] that will be powered by Nova Business System’s CorporateCarOnLine software. […]” (1800limo.com/800limoPR.cfm)
“Its not that they don’t have the cash to bring some one in to manage their databases and make sure they are using encryption, its a mindset – they have been doing it this way for YEARS and all has been good, so why change?”
This is the nature of many businesses – they’re conservative. Why take the risk of implementing new systems and procedures where money can be lost when you have a system that is already working in other words.
Why should the government (and you and I, as taxpayers) be subsidizing these businesses? Let the free market put out of business those who cannot implement proper data security.
When a business is so big, even if they only lose a hours worth of work, let alone days, even with a backup…..That could mean a hell of alot of money lost.
Another important story. Thank you.
Did the company notify all 850,000 customers or the credit card companies? When my local hospital was hacked both the hospital and my credit card notified me. New card issued immediately. Speed of doing so is probably important to preventing customer losses.
Mandiant organizes an article about the limo-themed spear phishing attack for FP but now declines to comment on your story which elaborates on their original story? How bizarre.
Another highly interesting article , pass the cheese and crackers please
Almost as good as the “release” of a madam’s little black book, but better because it includes Trump!
Uh-Oh!
Maybe now the ritzy businesses will pony up the cash to pay for actual security services! Let them learn a lesson! 😀
Anyone up for writing a screen play?
With many of the articles you’ve written here, Brian, I keep thinking the data supporting the articles could be raw material for a ‘Taken’ kind of movie. You know, where the hacker hacks the “wrong guy” who has “special talents.”
Thank you for your continued efforts of raising awareness. IMO, it’s highly effective. And, also IMO, a movie could help raise people’s awareness, too. It would give new meaning to, “based on true stories.”
I’m not sure what the point is of publishing data about these celebrities, their proclivities, habits and gossip — seriously. Are you trying to aggrandize the people who did this? Get more hits? It’s one thing to shame a company for not following standards of practice, it’s acting no better than the criminals to post information like this.
I mean, really, why not just put out a blog and be done with it.
Opps, not blog; zine. Put out a zine.
? the comment would be fair if he had posted the comments for each person but he did not. He simply stated some of the users who had details in the archive. There is no suggestion that any of the listed people did anything inappropriate,
While I won’t dismiss your statement offhand, I would like to ask you to consider — would you like it if your habits were outed like this? What if every data breach report required the public release of the names of the people whose data/credentials were taken. No big deal, since it’s just your name that would be made public, right? Let’s say that itself isn’t enough to make you think. Now let’s say it was AA. Or NA. Or your doctor’s office or pharmacy (yes, you could argue HIPAA there, so not applicable, but you surely must see where I’m going with this).
While I won’t dismiss your point offhand, I’m curious what you consider the difference to be between gossip and important news/data? Surely ‘Politician [A,B,C,D,E,F]’, ‘Entertainer [A,B,C,D,E,F]’, and so forth would have gotten the point across without naming the customers of the company in this article. If you really want to shame the companies for poor practices and terrible data sanitation, why not name *the employees of the company who f*cked up* instead of the *victims* (they may be in the public eye, but does that mean they don’t deserve their privacy?).
Other than the fact that they use a limo service what habits are you referring to exactly?
Which celebrity did I publish gossip, proclivities or habits about exactly?
“Other Mandia employees who used limo services ”
Mandia » Mandiant
tx
“a key collaborator on the research in this post”
Translation, he did all the work. The gimp has a gimp!
http://www.sfgate.com/news/article/Limo-firm-hacked-politician-celeb-data-breached-4954073.php
Excerpt:
The stolen files also include records about what took place in the vehicles, including sex, vomiting and smoking marijuana, Krebs reports.
Rep. John Conyers, D-Mich., whose data was among those breached, declined to comment Monday. But his spokesman Andrew Schreiber said he was appreciative that the matter was brought it to his attention.
Other members of Congress also said they were uninformed.
“This is the first we have heard about this. We were never notified, but we are looking into the claim,” said Leslie Shedd, spokeswoman for Rep. Lynn Westmoreland, R-Ga.
(snip)
It is quite worrying that the limo firm has not advised those affected. Especially considering many will have credit cards that have no affective limit.
CorporateCarOnline.com and owner Dan Leonard should be publicly and critically penalized. This blatant disregard for securing data – data which they collected (perhaps unwittingly within their customer base) – should not be excused.
I also believe that companies such as American Express should be penalized, for they ALLOW this type of abuse to occur, by not enforcing security compliance on companies who are permitted to charge on their cards. I can speak to this directly, as I have attempted to report such abuse from restaurant chain in affluent West Palm Beach, FL (bigtimerestaurants.com) who are currently allowing “secure” online purchase of gift cards .. but then EMAILING the credit card data to their back-oiffice administrator who processes these after-hours transactions the next business day. This was evident, after the same administrator MAILED (via USPO) the copy of that very email (web form-to-email generated by their website) to me as a “receipt”. I contacted AmEx to complain about that abuse and was merely routed from one department to the next and eventually told they won’t be able to take action.
This neglect allows companies such as CorporateCarOnline.com to store such private and valued data in an unencrypted text file. What is this, 1970?
How did they pass their PCI assessments? I think that’s a BIG part of the story that deserves to be looked at.
Dan, PCI Compliance scans are a joke IMO. The scans that I’ve dealt with are just an nmap scan of your ports and a probe of common URL/HTTP-based exploits. Then the scanning company sends you an automated PDF with gems like a reverse DNS lookup and traceroute to your server along with an invoice for their approval. There’s no code review and they certainly never look at your database.
Very true. I have seen many scans that fail on a particular router because the router has a port open. The software sees the port and assumes it is an open dns server and fails the check. Does not even bother to check if it is a dns server (in this instance it is not)
Seems to be quite a hoard of information on this server.
Are these files definitly from 1 group or is it possible that this server is used for data sharing (sort of like the old fop scene)
Peter, here we agree — I, too, believe that the ‘owns’ themselves are not the ‘work’ of a singular person/group (whether through sharing, trading, or purchasing — or stealing and aggregating, in a manner probably not too unlike how people like Xylibox, owningyourbotnet, etc, operate. Mr. Krebs and/or Mr. Holden: was this data received via a third party as part of a legal operation or part of a shutdown or other sort of investigation or was it just a lucky find, so to speak?
Brian, just a question…
Are you going to cover the BadBIOS story currently making the rounds? I mean, a top notch security consultant has been unable to clean this virus from his network for THREE YEARS? And most other infosec experts are saying it’s quite possible and taking it seriously – even the part about computer viruses whispering to each other in ultrasound over air-gapped machines!
If this thing is true, my “no security” meme becomes UTTERLY true! 🙂
I’m also following this but I’m a tad skeptical at present given that he’s the only one reporting it.
I have had the same feeling for years too, even when buying a new hdd. I have even had my computer fried on christmas morning. I kid you not. I already just had a pc die yesterday. The radio station host i listen too had his laptop die…and a friend of mine pc died. None of them contact me online, its just that time of year…..
Its november now…I was getting worried once we hit November 1st…..I only breath easy when we hit February. These are the worst months, we all have to be very conscious now on our pc’s till after the holidays. All the religious nuts and credit thieves, and bitter lonely psychos are in full force.
But I will say this, for a decade after Chernobyl (CIH), even when some bios’s had built in virus protection….. Experienced users still ignorantly refused to believe a bios could even get infected. And repeated that talking point for many years in communities.
Nowadays people admit it can, even to an avg person, but they are refusing to believe this virus can spread? Even back to its own machine? lol….ya I’m not that skeptical. You don’t have to be a programming or genius malware creator to have common sense. IMO, wireless bios and cpus and viruses in them have been around since the 90s.
Also this year after I believe I got hacked when downloading diff linux distros. I reformatted, and I found out that plugging the infected usb stick in my computer…..wiped my bios password. I was shocked but Yes apparently this is possible. In other words….the prompt kept coming up…and I could enter in my password if I felt like it….or I could just hit ENTER! and go right through….lol Resetting the password fixed this….but I assume I am still infected. I through that usb stick in the garbage.
Most of us are probably infected for life and can only mitigate it like hepatitis and herpes, and Its not because of the NSA. Why would people do this? Because they can. They have no life and live for it, Its better then reality tv, makes them feel superior.
Where can one find the database?
Something seems fishy.
I can’t find it *anywhere*. What’s even more odd is that all the other sites on the internet reporting this leak only refer to this page as the source – and they’ve all copied this article almost verbatim. No one else seems to have done any of their own work and dished up any “dirt” besides what’s found in this article. Nor can I find it on any of the sources I usually look for leaks.
Of course, I could just not be looking hard enough, but something doesn’t add up here.
What’s fishy exactly? That this blog is the source of the story, or that you can’t find a copy of the stolen data?
Or apparently some folks can’t believe you do original work! :/
Does anyone else find it comical that the company spelled out their entire infrastructure. Hey! Here’s the OS we use, the DB, and how we firewall. Plus we use Cold Fusion! Now try and get in. I dare ya! Good grief.
You should give us the tail numbers. They where illegally hidden by congress for “terrorism” then just for corporate advantage.
http://www.theage.com.au/it-pro/security-it/tom-hanks-lebron-james-donald-trump-personal-information-taken-as-hackers-break-into-limo-service-20131105-hv2cd.html
Excerpt:
Such information would be extremely useful in the hands of nation-state level attackers. For a very relevant and timely example of this, consider the cyber spying story printed last month by Foreign Policy magazine. That piece featured an interview with Kevin Mandia, the chief executive of Mandiant, an Alexandria, Virginia, based firm that specialises in helping companies defend against cyber espionage attacks. In the FP story, Mandia said he recently was the target of a targeted cyber attack that tried to foist malicious spyware on him via an email with a booby-trapped PDF copy of a recent limo invoice.
“I’ve been receiving PDF invoices not from them, but from an [advanced hacking] group back in China; that’s awesome,” Foreign Policy quoted Mandia as saying. According to the story, Mandia only caught the attack when the hackers sent receipts on days when he hadn’t used the car service. “I forwarded them to our security service, and they said, ‘Yup, that’s got a [malicious] payload,” Mandia said.
Incredibly, this purloined limo database may have played a part in those attacks. Among the 850,000-plus records in the stolen CorporateCarOnline data are several travel records for Mandiant employees, including Kevin’s. Other Mandiant employees who used limo services via CorporateCarOnline include David Swanson, manager of strategic solutions at Mandiant, and Andrew Williams, a sales account executive. Data was shared with Mandiant however, the company declined to comment for this story.
(snip)
Seems to me if you wanted to use this data as a terrorist or nation-state, you wouldn’t publish it you would keep your tentacles inside the org and mine it for upcoming appointments.
Of course, publishing the data doesn’t mean the limo service will fix the hole, but it does mean people will stop using the service.
Especially if you can’t eat cheese and crackers in the back.
They didn’t “Publish”. As noted in the 1st paragraph; the data was found on the same server where stolen PR Newswire data was located.
We can snicker about hackers not locking their own doors, but it wasn’t their intention for the stolen information be a subject of any discussion.
Another good story Brian
The company CorporateCarOnline.com and its owner Dan Leonard should be publicly and critically penalized. This blatant disregard for securing data – data which they collected (perhaps unwittingly within their customer base) – should not be excused.
I also believe that companies such as American Express should be penalized, for they ALLOW this type of abuse to occur, by not enforcing security compliance on companies who are permitted to charge on their cards. I can speak to this directly, as I have attempted to report such abuse from restaurant chain in affluent West Palm Beach, FL (bigtimerestaurants.com) who are currently allowing “secure” online purchase of gift cards .. but then EMAILING the credit card data to their back-oiffice administrator who processes these after-hours transactions the next business day. This was evident, after the same administrator MAILED (via USPO) the copy of that very email (web form-to-email generated by their website) to me as a “receipt”. I contacted AmEx to complain about that abuse and was merely routed from one department to the next and eventually told they won’t be able to take action.
This neglect allows companies such as CorporateCarOnline.com to store such private and valued data in an unencrypted text file. What is this, 1970?
OOooh! I get mad just hearing that! Perhaps turning such things into the CFPB might help, but I’m not sure how far the reach is for that bureau under the Consumer Financial Protection Act of 2010. But things like that should be included in any directives to come out of that office. Public comment can bring action in these areas; I know I had to respond to such public comment periods when the BATF proposed regulatory directives.
Since when is having sex not considered to be “behaving civilly”? (assuming it was safe, sane, and consensual, of course)
Just ANOTHER reason why Apple users DON’T WANT )or need) ANYTHING from Microshaft…
Please (oh, please) explain what any of the information in this article has to do with Microsoft.
… we’ll wait here.
Apple gets hacked all the time too nowadays man. Your not much safer on it. Maybe a better argument with linux, but thats debatable too.
I think whats happening now, is we just are getting revelations of things that have always been going on. They are just getting more and more exposure.
Information is leaking over Internet nowadays like no tomorrow 🙂
Has American Express and the other credit card companies been given the list of credit card numbers? They should be interested in replacing these cards, as many are probably corporate misuse will likely not be spotted very quickly.