American Express Data Breach

American Express notified card members today of a data breach impacting some customer information, emphasizing that its systems were not compromised. The breach originated from a third-party service provider used by numerous merchants, potentially exposing customer details including card numbers, names, and expiration dates.

What Happened:

American Express discovered unauthorized access to a system utilized by a third-party service provider engaged by various merchants. This incident may have compromised the account information of some American Express card members.

American Express has filed a data breach notification with the state of Massachusetts regarding potential impacts on cardholder information, which may include current or previously issued American Express card numbers, cardholder names, and card information such as expiration dates.

“At this time, we have been informed that your current or previously issued American Express Card account number, your name and other Card information such as the expiration date, may have been compromised. Please be aware that you may receive additional letters from us if more than one of your American Express Card accounts were involved.”

American Express

In response to this situation, American Express has taken several measures to address the issue. The company has affirmed the security of its own systems and is actively monitoring accounts for any signs of fraudulent activity.

Additionally, cardholders are reassured that they are not liable for unauthorized charges. American Express has provided resources and information on fraud protection through its Security Center website.

For insights into this, we reached out to Piyush Pandey, CEO at Pathlock who stated, “Over the last few years, we’ve seen a significant uptick in third-party data breaches. In this example, there are multiple parties, or what we call “nth party” risk. This places a much greater emphasis on organizations to vet their third parties during onboarding to minimize access risk.”

Piyush also cautioned businesses about the importance of scrutinizing third parties before entering into business partnerships with them. “Organizations must also ensure that the third-party partners of the third parties they are doing business with are assessed for access risk. It should become part of standard third-party contracts to specify breach response responsibilities,” he explained. “Masking data to provide only what is needed by third parties to provide services must be a best practice.”

Nevertheless, American Express card members are advised to review their account statements for any suspicious activity, especially over the next 12-24 months. They are also encouraged to enable account notifications via the American Express Mobile app or through email/text messaging for added security.

Furthermore, updating contact information with American Express is recommended to ensure smooth communication if necessary.

Rising Incidents of Third-Party Data Breaches

The beginning of 2024 has witnessed a noticeable uptick in data breaches affecting diverse sectors, including corporate entities and governmental organizations. On February 23 2024, a threat actor using the alias IntelBroker leaked 2.4 million data belonging to private plane owners linked to the Los Angeles International Airport.

In August 2023, an IT contractor employed by the Metropolitan Police Force experienced a cyberattack that impacted over 50,000 MET police personnel.

In September 2023, a third-party contractor experienced a data breach that affected over 8,000 Greater Manchester Police Officers. In October 2023, another contractor inadvertently exposed their database, resulting in the leakage of sensitive details about 500,000 Irish Police vehicle seizure records.