American Express says customer data exposed in third-party breach

American Express (Amex) credit card holders may have had some of their account information exposed via a third party breach, the company has disclosed.

The financial services and credit card giant filed a breach notification letter as “a precautionary measure” with the Massachusetts State Attorney Generals Office on March 4th.

An American Express spokesperson told Cybernews the “incident was not caused by a data breach” at the company of any of its service providers.

The breach was the caused by “a point-of-sale attack at a merchant processor in which American Express Card member data was impacted,” they said.

It has been reported the merchant processor at the center of the hack is used by the American Express Travel Related Services Company, one of the entities under the company’s travel services division.

The Amex notification letter states that the account information of some Card Members “may have been involved,” including:

  • Your name
  • American Express Card account number
  • Expiration date

This applies to credit card account numbers that are currently active or were previously issued, which means some customers may receive more than one letter about the incident, the company said.

American Express breach notification Massachusetts AG
Image by Cybernews.

The breach notification letter states that Amex was informed by the third-party service provider – which is used by numerous merchants – that it had “experienced unauthorized access to its system” but did not provide any specific dates.

“A courtesy notice of this incident was provided to the Massachusetts regulators due to impacts to American Express Card members residing in Massachusetts,” the spokesperson said.

Amex addresses card holders

“Protecting the security of our Card Members’ information is very important to us and we strive to let you know about security concerns as soon as possible,” American Express said.

American Express Card Members will not be liable for fraudulent charges on their accounts, and the company will take protective actions if it sees any unusual activity on an account, the spokesperson told Cybernews.

“We have sophisticated monitoring systems and internal safeguards in place to help detect fraudulent and suspicious activity.”

Amex is recommending customer regularly review and monitor their account activity, and immediately contact Amex if they detect any suspicious activity.

“For added protection, customers can receive free fraud and account activity alerts via email, SMS text messaging, and/or notifications through our app,” the spokesperson added.

Headquartered in lower Manhattan, American Express provides multiple banking services, such as online checking and savings accounts, to personal loans, as well as corporate and luxury travel programs.

There are over 121 million Amex card holders worldwide, according to the latest research by Zippia, with more than 50% of those card holders in the United States.

Third-party service providers need to be held accountable

Liat Hayun, CEO and co-founder of Eureka Security highlighted to Cybernews that the Amex breach is “coming just weeks after similar incidents at Bank of America.”

“This incident likely stemming from unauthorized system access… underscores the critical need for organizations to hold their service providers accountable for data security,” Hayun said.

Mid-February, it was revealed that the data of more than 50,000 Bank of America customers was exposed from a third party breach of the American financial services Infosys McCamish Systems (IMS).

The IMS breach which took place last November was eventually claimed by the LockBit ransomware gang.

It was the second third-party breach for Bank of America in 2023 – BOA fell victim to the infamous MoveIT hacks when accounting giant Ernst & Young was hit by the Cl0p ransom group, exposing another 30,000 customers.

“Lessons from past breaches highlight the importance of robust access controls,” Hayun said.

“While mapping access points for sensitive data can be complex, it's a crucial security measure that organizations must prioritize in alignment with their overall business objectives and compliance requirements,” she said.