American Express (Amex) has alerted customers that their credit card details may have been compromised following a third-party data breach.
In a notice letter to customers, filed with the US State of Massachusetts, the credit card provider warned that current or previously issued Amex card account numbers, customer names, and other card details such as the expiration date, may have been accessed in the attack.
The firm added that customers may receive additional notification letters if more than one of their Amex accounts were involved.
It is currently unknown how many customers may have been impacted by the incident.
The State of Massachusetts’ 2024 Data Breach Notification Report shows numerous third-party incidents reported by American Express in late February involving compromised credit card details.
Altogether, these add up to 33 impacted citizens from the state.
Amex Suffers Third Party Breach
American Express stated that the breach occurred in “a third-party service provider engaged by numerous merchants,” which may have involved account information of some of its card members.
There was no information about who the third-party merchant processor is.
No American Express owned or controlled systems were compromised by the incident, the company added.
Commenting on the story, Brian Boyd, head of technical delivery at i-confidential, said that many people will be surprised to see America Express’ data breach notification, given its status as one of the world’s most reputable financial players.
“American Express will undoubtedly employ some of the most advanced cybersecurity tools in the world. Unfortunately, it still managed to fall victim to a supply chain incident.
“This echoes what happened last month when Bank of America also announced it had suffered a data breach because of a supplier. Clearly, while banks can adopt state of the art defenses across their own infrastructure, this doesn’t make them immune to supply chain attacks,” explained Boyd.
Boris Cipot, senior security engineer at the Synopsys Software Integrity Group, noted that it is often far easier for cyber-attackers to exploit vulnerabilities in smaller third-party companies to gain access to data held by large organizations.
"Monitoring data usage within our network is relatively straightforward. However, once data leaves our systems, it becomes more challenging to ensure its proper handling by partnering companies,” he observed.
“Data owners must ensure that partnering companies treat the data securely and responsibly, similar to how it's managed within our own systems,” added Cipot.
Boyd advised big organizations to hold an inventory of all their suppliers to understand the inherent risk of each of them.
“Include the appropriate clauses in supplier contracts, assure suppliers based on their classification or inherent risk and, where suppliers need to remediate issues, follow up to ensure they do,” he outlined.
How Amex Customers Can Mitigate the Risk of Fraud
American Express assured contacted customers that it is “vigilantly monitoring your account for fraud,” and that they will not be liable for any fraudulent charges on their account.
It provided the following advice to potentially impacted customers to mitigate the risk of fraud:
- Review your Amex account statements carefully for signs of fraudulent activity, especially over the next 12 to 24 months
- Enable notifications in the American Express Mobile app to receive instant notifications of potential suspicious activity
- Visit the Federal Trade Commission (FTC) website for information on how to protect yourself against ID theft, and safeguarding your electronic devices from viruses and other malicious software
- Report any suspected identity theft to law enforcement
- Contact the major credit bureaus to get useful information about protecting your credit, including information about fraud alerts and security freezes