Amex Customer Data Exposed in Third-Party Breach

American Express is notifying its customers that their credit cards were exposed in a breach involving a third-party service provider.

In a data breach notification filed with the state of Massachusetts, the American bank holding and financial services company notes that its own systems were not compromised by the incident. 

The breach instead occurred through a provider frequently used by the company's travel services division.

Credit card information such as American Express card account numbers, names, and expiration dates are at risk, and users should expect follow-up contact from the company if they have more than one American Express card involved in the breach. 

Anyone who has been potentially affected should review their accounts for fraudulent activity periodically over the next 12 to 24 months. Users should also enable notifications from the American Express Mobile app to stay up to date with their account activity. 

"The recent data breach impacting American Express customers, coming just weeks after similar incidents at Bank of America, underscores the critical need for organizations to hold their service providers accountable for data security," said Liat Hayun, CEO and co-founder of Eureka Security, in an emailed statement. "Lessons from past breaches highlight the importance of robust access controls, as this incident likely stemmed from unauthorized system access."

The Bank of America breach that Hayun referred to was a leak that occurred just last month after a ransomware attack breached one of its third-party providers, Infosys McCamish Systems (IMS), affecting at least 57,028 customers. Though IMS reported that it would not be able to determine with certainty precisely what information was compromised, it likely included sensitive material such as Social Security numbers, names, addresses, dates of birth, and other private information.

American Express has provided tips in its letter to users to protect their information and assures that should users find fraudulent activity on their accounts, they will not be held liable for those charges.