American Express admits card data exposed and blames third party
Don't leave home without … IT security
A security failure at a third-party vendor exposed an untold number of American Express card numbers, expiry dates, and other data to persons unknown.
"We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system," Amex chief privacy officer Anneke Covell wrote in a letter [PDF] to customers at the end of last month, alerting them to the snafu.
"Your current or previously issued American Express card account number, your name, and other card information such as the expiration date, may have been compromised. It is important to note that American Express owned or controlled systems were not compromised by this incident."
- UK data regulator fines American Express up to 0.021p per email after opted-out folk spammed 4.1 million times
- Hacker predicts Amex card numbers, bypasses chip and PIN
- Payment terminal malware steals $3.3m worth of credit card numbers – so far
- American Express loses bid to toss out lawsuit claiming it copied Spanish startup's flight booking software
The US state of Massachusetts disclosed [PDF] the blunder as part of its rules on publicizing privacy breaches.
It's worth noting American Express has appeared in Massachusetts' reports of data leakage a total of 16 times so far this year, with the other incidents mostly only covering a few (read: single digit) MA residents.
Notification letters for those dozen or so screw-ups state that individual merchants were compromised, exposing their customer records, or that Amex customer data was found online during a law enforcement investigation and reported. Amex's spokespeople stressed to The Reg that these blunders "were not caused by a data breach at American Express or at a service provider of American Express." For example, in two of the cases, "the incidents resulted from point-of-sale attacks at merchant processors, and are not related" to any failures on American Express's end, we're told.
For worried Amex customers, the finance giant gave assurances in its letters that customers aren't liable for fraudulent charges. Amex suggests customers regularly review their statements, and sign up for account alerts that notify users via text, email, or through its mobile app of any suspicious charges. ®