Skip links

American Express admits card data exposed and blames third party

A security failure at a third-party vendor exposed an untold number of American Express card numbers, expiry dates, and other data to persons unknown.

“We became aware that a third-party service provider engaged by numerous merchants experienced unauthorized access to its system,” Amex chief privacy officer Anneke Covell wrote in a letter [PDF] to customers at the end of last month, alerting them to the snafu.

“Your current or previously issued American Express card account number, your name, and other card information such as the expiration date, may have been compromised. It is important to note that American Express owned or controlled systems were not compromised by this incident.”

The US state of Massachusetts also disclosed [PDF] the blunder as part of its rules on publicizing privacy breaches. It’s worth noting American Express has appeared in Massachusetts reports of data leakage a total of 16 times so far this year, with the other incidents mostly only covering a few (read: single digit) MA residents.

Notification letters for those screw-ups state that individual merchants were compromised, exposing their customer records, or that Amex customer data was found online during a law enforcement investigation and reported. 

For worried Amex customers, the finance giant gave assurances in its letters that customers aren’t liable for fraudulent charges. Amex suggests customers regularly review their statements, and sign up for account alerts that notify users via text, email, or through its mobile app of any suspicious charges. ®