Some cardholders may have had their information leaked in a recent third-party breach.
What happened
American Express Co. recently filed a notice with the state of Massachusetts, explaining that the company had been part of a data breach.
American Express did not share how many cardholders may have had their account information accessed. The incident occurred from the hacking of a merchant processor used by AmEx.
In the filing, AmEx said breached information may have included account numbers, names, and other related card information, such as expiration dates. Customers with more than one American Express card may receive multiple notices. Although customer information was accessed, systems owned or controlled by American Express were not compromised.
The company is encouraging customers to review their account statements for any fraudulent charges, which if found, will be removed once reported.
What was said
In a statement to CBSN an American Express spokesperson said, “We have sophisticated monitoring systems and internal safeguards in place to help detect fraudulent and suspicious activity. If we see there is unusual activity that may be fraud, we will take protective actions.”
The spokesperson also clarified that some media outlets have mistakenly labeled the incident as a direct attack on American Express when it was instead an incident with a merchant processor. “Because customer data was impacted, American Express provided notice of the incidents to Massachusetts agencies and impacted customers who reside in Massachusetts.”
Cybersecurity expert Brian Boyd weighed in, saying that the breach is surprising given American Express’ strong reputation, “Unfortunately, it still managed to fall victim to a supply chain incident.”
Why it matters
The incident isn’t the first for banks. Recently, Bank of America also suffered a data breach linked to a third-party service.
Even with a strong reputation and security system in place, banks – and other major industries like hospitals – are often reliant on third parties to outsource certain operational tasks.
In the healthcare industry, third parties must sign a business associate agreement if they will be handling protected health information. Agreements like these help both organizations understand their legal obligation to protect data, but outside healthcare mandates, not every third-party organization will agree to sign one.
Read more: How a business associate data breach impacts a covered entity
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
