American Express is investigating a potential data breach in California.
Apparently, one of the third-party service providers used by the payment giant’s merchant partners was compromised, leading to the possible exposure of account numbers, names, expiration dates and other information.
In a notice [PDF] to customers filed with the Office of the Attorney General in California, Amex chief privacy officer Stefanie Ash said that the company was “vigilantly monitoring” accounts for fraudulent activity. The notice said that customers could receive more than one letter about the incident if more than one account was affected.
“It is important to note that American Express owned or controlled systems were not compromised by this incident, and we are providing this notice to you as a precautionary measure,” Ash wrote.
The incident is only the latest card breach involving the supply chain. The infamous Home Depot breach in 2014 was due to stolen credentials from a third-party vendor. Hackers were able to acquire elevated rights that allowed them to navigate to other portions of Home Depot's network and, eventually, to deploy the malware that stole card information from point of sale machines. Similarly, in the Target Breach, hackers gained access via credentials used by its HVAC contractor.
The ongoing attacks through third parties show that institutions are facing sophisticated, well-organized adversaries engaged in what has become a lucrative crime—showing the importance of securing data itself rather than only the network perimeter.
“This third-party incident highlights the need for organizations to take a data-centric approach to securing sensitive information at the source,” said Jason du Preez, CEO of data privacy company Privitar. “This process would ensure only essential data is visible, enabling organizations to confidently pass sensitive information to third parties without the risk of it being connected to an individual.”
He added that organizations that fail to act will not only find themselves on the receiving end of hefty fines, but they could also suffer from customers voting with their feet. For instance, the fallout from a damaging data breach in October last year continues to affect UK ISP TalkTalk, with figures claiming that the firm lost 7% of its broadband customers in the fourth quarter.
“There is already evidence that the way companies manage and process data has a direct impact on brand and customer loyalty,” Preez said. “Our own research found that a company’s record for protecting and respecting customer data is one of the main considerations for consumers when choosing a service. With stronger security and greater transparency, consumers will be in a far better position to pick those services that they not only need the most, but feel the most comfortable using.”
Photo © Nadalina/Shutterstock.com